[Standards] LAST CALL: XEP-0245 (The /me Command)
stpeter at stpeter.im
Wed Jan 7 22:08:14 UTC 2009
Dave Cridland wrote:
>> 4. Do you have any security concerns related to this specification?
> The only security issue I can think of is if the presentation could be
> used to spoof a message from another participant, or from the service.
> Typically, clients display messages on exit such as "dwd has left", or
> "dwd has join the group chat" - it may be useful to alert implementors
> to ensuring that such messages cannot be spoofed by the user typing "/me
> has left", thus - perhaps - avoiding being kicked. This is the reason, I
> believe, behind the recommendation (and typical implementation) of
> prepending the nickname with a "*".
In the olden days of groupchat 1.0, mu-conference and perhaps some other
MUC components enabled the admins to configure fun leave messages such
as "stpeter has disappeared in a puff of smoke". In XEP-0045 these are
discouraged, in favor of handling the presence unavaiable event:
<presence from="jabber at conference.jabber.org/psa" type="unavailable"/>
Then the receiving client shows an event, such as:
*** psa has left the room
But I agree that needs to be differentiated (in the UI) from:
/me has left the room
So I'll clarify that.
More information about the Standards