[Standards] LAST CALL: XEP-0245 (The /me Command)

Peter Saint-Andre stpeter at stpeter.im
Wed Jan 7 22:08:14 UTC 2009


Dave Cridland wrote:

>> 4. Do you have any security concerns related to this specification?
> 
> The only security issue I can think of is if the presentation could be
> used to spoof a message from another participant, or from the service.
> 
> Typically, clients display messages on exit such as "dwd has left", or
> "dwd has join the group chat" - it may be useful to alert implementors
> to ensuring that such messages cannot be spoofed by the user typing "/me
> has left", thus - perhaps - avoiding being kicked. This is the reason, I
> believe, behind the recommendation (and typical implementation) of
> prepending the nickname with a "*".

In the olden days of groupchat 1.0, mu-conference and perhaps some other
MUC components enabled the admins to configure fun leave messages such
as "stpeter has disappeared in a puff of smoke". In XEP-0045 these are
discouraged, in favor of handling the presence unavaiable event:

<presence from="jabber at conference.jabber.org/psa" type="unavailable"/>

Then the receiving client shows an event, such as:

*** psa has left the room

But I agree that needs to be differentiated (in the UI) from:

/me has left the room

So I'll clarify that.

Peter





More information about the Standards mailing list