15 Mar
2026
15 Mar
'26
12:34 p.m.
I was convinced to advocate for deprecating XHTML-IM by
Waqas Hussain, who
found serious security vulnerabilities in the wild among a number of XMPP
clients. Although in theory XHTML-IM might be "nice", as Sergei put it in
this thread (and I was always quite fond of it myself), if in practice
client developers can't or won't implement it safely then we shouldn't
bring it back from the dead.
I understand that this has been the argument but I do not find it
convincing. People will find ways to implement every XEP in an insecure
fashion. Many vulnerabilities have been found in HTTP file sharing
implementations but we do not deprecate HTTP. Security vulnerabilities hrve
been found in implementations of https://xmpp.org/extensions/xep-0393.html
but we don't deprecate that either. HTML does not have any more likelyhood
of causing security issues than these others. All have beee abused in ways
thrt caused issues and when we become aware of these it is important to
document them of course.