[Standards] XEP-0106: JID\20Escaping

Peter Saint-Andre stpeter at jabber.org
Fri Jun 1 10:53:44 CDT 2007


Back in February, Joe Hildebrand and I (as authors of XEP-0106) had an 
offlist email discussion with Robin Redeker (Perl library author) about 
some ambiguities and possible security concerns related to XEP-0106. 
Last night I looked into this again. As always, JID Escaping makes my 
head hurt, but I decided to forge ahead. Here are some tentative 
conclusions from the earlier email thread and my recent research:

1. The spec is not as clear as it could be. I'm working to clean it up, 
especially by adding a plethora of new examples.

2. If the sequence \5c is in the source (unescaped) address, that string 
also needs to be escaped (to \5c5c). This is necessary to prevent 
certain very rare instances of confusion between JIDs. (In fact as shown 
below there is not a single instance of the string \5c in the 250k 
usernames on the jabber.org server, so the risk here is very small.)

3. A node identifier MUST NOT start with the string \20, which would be 
escaped to SP (" ") and therefore mess up transformations to numerous 
other systems (and probably also mess with users' heads). I think \20 is 
OK at the end of a node identifier but we might want to discourage that 
as well.

4. No mapping is defined to and from IRC addresses. I've added one.

BTW, a quick search through the 250,000 usernames on jabber.org yields 
the following hits for the following strings (which according to 
XEP-0106 would be escaped to the characters in parentheses):

- Zero hits for:
   - \22 (")
   - \26 (&)
   - \27 (')
   - \2f (/)
   - \3c (<)
   - \3e (>)
   - \5c (\)
- 2 hits for \3a (:)
- 14 hits for \20 (SPACE)
- 49 hits for \40 (@)

As time allows I will update XEP-0106 accordingly.

Peter

-- 
Peter Saint-Andre
XMPP Standards Foundation
http://www.xmpp.org/xsf/people/stpeter.shtml

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7358 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mail.jabber.org/pipermail/standards/attachments/20070601/584fcc16/smime.bin


More information about the Standards mailing list