[Standards] request for reviews: XEP-0045 v1.25rc5

Alexander Holler holler at ahsoftware.de
Tue Sep 6 13:37:38 UTC 2011

Am 06.09.2011 11:09, schrieb Ralph Meijer:
> On Tue, 2011-09-06 at 09:24 +0200, Alexander Holler wrote:
>> [..]
>> I don't see any reason why the user should send a form to the server.
>> If using a form is wanted, the correct way would be that the user
>> requests a form for the request from the server, and sends back the
>> result, which is then processed by the server (resulting in a form for
>> the moderator).
>> The described way where the user generates a form only makes sense, if
>> that form is forwarded to the moderator. But that would result in the
>> possible problems I've described (e.g. hidden fields and wrong labels).
> I don't see how requesting a form from the service first somehow makes
> this better. An attacker could simply ignore that form and submit its
> own bad one.

Whats the point that the user sends labels?

Where do the user gets the list of required fields from?



More information about the Standards mailing list