Replying to myself before I reply to the latest message from Waqas. :) On 8/30/11 12:37 PM, Peter Saint-Andre wrote:
> So far, two of the attacks (#3 and #4) that you have described (via > examples only) depend on violations of the XML spec and XEP-0030. > > Another of the attacks (#1) depends on converting the literal string > "<" to "<", which we've said for years now is incorrect. Can we agree that attacks #1, #3, and #4 are easily overcome by proper handling of inputs? > Attack #2 can be mitigated by forbidding forms without fields in > XEP-0068 and XEP-0128. Regarding attack #2, one approach, which some folks on the formerly evil former Jabber team in Denver just discussed IRL, is to simply ban XEP-0128 forms from computation of the caps hash. The only legitimate use of XEP-0128 that anyone has ever tried to standardize was XEP-0232, but we were never able to reach consensus on that spec and it has been in the Deferred state for over two years. Peter -- Peter Saint-Andre https://stpeter.im/
