[replying on-list] On 8/7/18 12:37 PM, Jonas Wielicki wrote: > On Dienstag, 7. August 2018 18:28:45 CEST you wrote: >> On 8/5/18 4:59 AM, Jonas Wielicki wrote: >>> Hi all, >>> >>> So while running the XEP-0060 node_config data form [1] through the thing >>> >>> which builds aioxmpp code to process it, I came across this funny field: >>> <field var='pubsub#dataform_xslt' >>> >>> type='text-single' >>> label='The URL of an XSL transformation which can be >>> >>> applied to the payload format in order to generate >>> a valid Data Forms result that the client could >>> display using a generic Data Forms rendering >>> engine'/> >>> >>> I was at first confused, but then figured out that this is an XSLT which >>> can be applied to the payload in the node items to extract a XEP-0004 >>> Data Form which is then renderable. >> >> It seems to be a data forms result, not a form one would fill out. > > Ahh, that makes slightly more sense. > >>> At least that’s what I think. There’s no text which >>> describes its use in more detail. >> >>> So, I have a few questions: >> A simpler question: is anyone using this feature? >> >> I doubt it, and I'd be inclined to remove it. > > Me too. > > However, even if we decide to keep it, and even if the XSLT is actually > supposed to be executed on the server side of things, the security issues of > that *very much* need to be documented.
I'm suggesting we delete the feature - most likely it was something we thought might be useful someday, which turned to be false (leaving aside the many security issues!). Peter
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Standards mailing list Info: https://mail.jabber.org/mailman/listinfo/standards Unsubscribe: [email protected] _______________________________________________
