[Standards] XEP-0106: JID\20Escaping
Peter Saint-Andre
stpeter at jabber.org
Fri Jun 1 10:53:44 CDT 2007
Back in February, Joe Hildebrand and I (as authors of XEP-0106) had an
offlist email discussion with Robin Redeker (Perl library author) about
some ambiguities and possible security concerns related to XEP-0106.
Last night I looked into this again. As always, JID Escaping makes my
head hurt, but I decided to forge ahead. Here are some tentative
conclusions from the earlier email thread and my recent research:
1. The spec is not as clear as it could be. I'm working to clean it up,
especially by adding a plethora of new examples.
2. If the sequence \5c is in the source (unescaped) address, that string
also needs to be escaped (to \5c5c). This is necessary to prevent
certain very rare instances of confusion between JIDs. (In fact as shown
below there is not a single instance of the string \5c in the 250k
usernames on the jabber.org server, so the risk here is very small.)
3. A node identifier MUST NOT start with the string \20, which would be
escaped to SP (" ") and therefore mess up transformations to numerous
other systems (and probably also mess with users' heads). I think \20 is
OK at the end of a node identifier but we might want to discourage that
as well.
4. No mapping is defined to and from IRC addresses. I've added one.
BTW, a quick search through the 250,000 usernames on jabber.org yields
the following hits for the following strings (which according to
XEP-0106 would be escaped to the characters in parentheses):
- Zero hits for:
- \22 (")
- \26 (&)
- \27 (')
- \2f (/)
- \3c (<)
- \3e (>)
- \5c (\)
- 2 hits for \3a (:)
- 14 hits for \20 (SPACE)
- 49 hits for \40 (@)
As time allows I will update XEP-0106 accordingly.
Peter
--
Peter Saint-Andre
XMPP Standards Foundation
http://www.xmpp.org/xsf/people/stpeter.shtml
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7358 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mail.jabber.org/pipermail/standards/attachments/20070601/584fcc16/smime.bin
More information about the Standards
mailing list