[Standards] XEP-0060: pubsub#dataform_xslt (yes, but why?)

Peter Saint-Andre stpeter at mozilla.com
Tue Aug 7 19:21:02 UTC 2018

[replying on-list]

On 8/7/18 12:37 PM, Jonas Wielicki wrote:
> On Dienstag, 7. August 2018 18:28:45 CEST you wrote:
>> On 8/5/18 4:59 AM, Jonas Wielicki wrote:
>>> Hi all,
>>> So while running the XEP-0060 node_config data form [1] through the thing
>>> which builds aioxmpp code to process it, I came across this funny field:
>>>   <field var='pubsub#dataform_xslt'
>>>          type='text-single'
>>>          label='The URL of an XSL transformation which can be
>>>                 applied to the payload format in order to generate
>>>                 a valid Data Forms result that the client could
>>>                 display using a generic Data Forms rendering
>>>                 engine'/>
>>> I was at first confused, but then figured out that this is an XSLT which
>>> can be applied to the payload in the node items to extract a XEP-0004
>>> Data Form which is then renderable.
>> It seems to be a data forms result, not a form one would fill out.
> Ahh, that makes slightly more sense.
>>> At least that’s what I think. There’s no text which
>>> describes its use in more detail.
>>> So, I have a few questions:
>> A simpler question: is anyone using this feature?
>> I doubt it, and I'd be inclined to remove it.
> Me too.
> However, even if we decide to keep it, and even if the XSLT is actually 
> supposed to be executed on the server side of things, the security issues of 
> that *very much* need to be documented.

I'm suggesting we delete the feature - most likely it was something we
thought might be useful someday, which turned to be false (leaving aside
the many security issues!).


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://mail.jabber.org/pipermail/standards/attachments/20180807/cace0bb8/attachment-0001.sig>

More information about the Standards mailing list