On Wed, Mar 7, 2018, at 12:33, Kozlov Konstantin wrote:
> So, the only reason to obsolete the XEP is not the XEP itself, but bad
> implementations? 

In a sense. Fixing the existing broken implementation doesn't fix the 
underlying problem though. It's more about the fact that any tiny mistake when 
implementing the XEP will likely create a security issue (as we have seen in 
the real world). Because even if you implement a whitelist (which is 
technically secure) it is a whitelist on top of a very large, complicated 
system with many different attack vectors. If you make any sort of mistake when 
implementing that whitelist, you potentially expose the underlying complicated 
system (XHTML). If we can build something simpler on top of a less complicated 
system, we can hopefully avoid some of these issues.

Standards mailing list
Info: https://mail.jabber.org/mailman/listinfo/standards
Unsubscribe: standards-unsubscr...@xmpp.org

Reply via email to