[Standards] XEP-0060: pubsub#dataform_xslt (yes, but why?)
stpeter at mozilla.com
Tue Aug 7 19:21:02 UTC 2018
On 8/7/18 12:37 PM, Jonas Wielicki wrote:
> On Dienstag, 7. August 2018 18:28:45 CEST you wrote:
>> On 8/5/18 4:59 AM, Jonas Wielicki wrote:
>>> Hi all,
>>> So while running the XEP-0060 node_config data form  through the thing
>>> which builds aioxmpp code to process it, I came across this funny field:
>>> <field var='pubsub#dataform_xslt'
>>> label='The URL of an XSL transformation which can be
>>> applied to the payload format in order to generate
>>> a valid Data Forms result that the client could
>>> display using a generic Data Forms rendering
>>> I was at first confused, but then figured out that this is an XSLT which
>>> can be applied to the payload in the node items to extract a XEP-0004
>>> Data Form which is then renderable.
>> It seems to be a data forms result, not a form one would fill out.
> Ahh, that makes slightly more sense.
>>> At least that’s what I think. There’s no text which
>>> describes its use in more detail.
>>> So, I have a few questions:
>> A simpler question: is anyone using this feature?
>> I doubt it, and I'd be inclined to remove it.
> Me too.
> However, even if we decide to keep it, and even if the XSLT is actually
> supposed to be executed on the server side of things, the security issues of
> that *very much* need to be documented.
I'm suggesting we delete the feature - most likely it was something we
thought might be useful someday, which turned to be false (leaving aside
the many security issues!).
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: OpenPGP digital signature
More information about the Standards