[Standards] request for reviews: XEP-0045 v1.25rc5

Alexander Holler holler at ahsoftware.de
Tue Sep 6 13:37:38 UTC 2011


Am 06.09.2011 11:09, schrieb Ralph Meijer:
> On Tue, 2011-09-06 at 09:24 +0200, Alexander Holler wrote:
>> [..]
>>
>> I don't see any reason why the user should send a form to the server.
>>
>> If using a form is wanted, the correct way would be that the user
>> requests a form for the request from the server, and sends back the
>> result, which is then processed by the server (resulting in a form for
>> the moderator).
>>
>> The described way where the user generates a form only makes sense, if
>> that form is forwarded to the moderator. But that would result in the
>> possible problems I've described (e.g. hidden fields and wrong labels).
>
> I don't see how requesting a form from the service first somehow makes
> this better. An attacker could simply ignore that form and submit its
> own bad one.

Whats the point that the user sends labels?

Where do the user gets the list of required fields from?

Regards,

Alexander



More information about the Standards mailing list