On Samstag, 14. Oktober 2017 14:40:55 CEST Jonas Wielicki wrote:
> On Samstag, 14. Oktober 2017 14:25:59 CEST Goffi wrote:
> > and thanks for this message. I generally agree (as previously said, I'm
> > not
> > firmly opposed to a new syntax, but it needs to be specified, with a
> > strict
> > syntax (rejected if invalid) and extensible, and if possible XML based.
> >
> > And I also agree that XHTML-IM should be kept until this syntax is draft
> > (with possibly a mention at the top that it will be obsoleted in the
> > future). We also have to check every XEP where XHTML-IM is used (to see if
> > replacement is fine).
>
> I would be in favour of something XML-based. I’m not sure if the fact that
> one definitely has to traverse the tree to map local-names and attributes
> to their XHTML equivalents is sufficient to prevent people from letting
> maliciously injected XHTML leak into the web view. For example, if we had a
> paragraph thing called <para/> and emphasis called <emph/>:
>
> <para>This new markup is <emph>amazing</emph><script xmlns="<xhtml ns>"
> type="text/javascript">alert('or is it?');</script></para>
>
> I *think* that it should be sufficient that clients will have to traverse
> the tree to make them reject XHTML and other unknown elements and
> attributes. (Again, a reference implementation for this might help with
> that.)I should’ve added: […], but I’m not convinced that this will stop implementations from doing the wrong thing by default, which is also why we’re trying to get rid of XHTML-IM in the first place. kind regarys, Jonas
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Standards mailing list Info: https://mail.jabber.org/mailman/listinfo/standards Unsubscribe: [email protected] _______________________________________________
