Wed, 18 Oct 2017 21:43:22 +0100 Maxime Buquet <[email protected]> wrote:
> I don't want to shut all doors, but I have a hard time seeing what > benefit this will bring. I only see wasted time and effort, and years > of incompatibilities and tensions between clients. All of this to > bring more or less the same product on the table, in a slightly > modified way. > > We have one XEP that allows embedding rich content in messages, and > that is XHTML-IM. I do agree that the XEP is not perfect, and that we > can garnish it a bit more with security recommendations, etc., but in > general it does the job. > > Replacing it with JSON or another specified format will certainly lead > to the same kind of issues that start this thread. > > Yes, developers have to be careful, and no, not everybody is. Once > we've reached this stage I don't think there is any point in > discussing if it's going to be more or less prone to vulnerabilities. Agreed. I also don't see how using another format guarantees absence of security issues. OK, with XHTML-IM we know some sort of attacks (XSS mostly), and we can consider this. Also, there might be other attacks we don't know about yet. But with other formats the situation is the same: there are some known vulnerabilities (bare minimum: failure to escape HTML tags correctly), and there are some unknown attacks. What is the difference? If we say that we cannot implement securely any XML markup, it doesn't magically mean we can implement securely other markups. Fine, we can assume that the amount of existing+potential bugs in XHTML is greater than in other proposed markup, but is it worth putting effort into writing a new XEP, breaking compatibility, requiring developers to re-implement the same in a different way only because it's less bug prone? Using the same logic we should rewrite XMPP in something more secure than XML, because it also has lots of security issues (see [1] for example). [1] https://www.owasp.org/index.php/XML_Security_Cheat_Sheet _______________________________________________ Standards mailing list Info: https://mail.jabber.org/mailman/listinfo/standards Unsubscribe: [email protected] _______________________________________________
