Dave Cridland wrote: >> 4. Do you have any security concerns related to this specification? > > The only security issue I can think of is if the presentation could be > used to spoof a message from another participant, or from the service. > > Typically, clients display messages on exit such as "dwd has left", or > "dwd has join the group chat" - it may be useful to alert implementors > to ensuring that such messages cannot be spoofed by the user typing "/me > has left", thus - perhaps - avoiding being kicked. This is the reason, I > believe, behind the recommendation (and typical implementation) of > prepending the nickname with a "*".
In the olden days of groupchat 1.0, mu-conference and perhaps some other MUC components enabled the admins to configure fun leave messages such as "stpeter has disappeared in a puff of smoke". In XEP-0045 these are discouraged, in favor of handling the presence unavaiable event: <presence from="[email protected]/psa" type="unavailable"/> Then the receiving client shows an event, such as: *** psa has left the room But I agree that needs to be differentiated (in the UI) from: /me has left the room So I'll clarify that. Peter
