[Standards] XEP-0390: use of separators which are valid (but discouraged) in XML 1.1 (as opposed to 1.0)

Florian Schmaus flo at geekplace.eu
Mon Mar 5 10:27:17 UTC 2018

On 05.03.2018 10:46, Kevin Smith wrote:
> On 5 Mar 2018, at 09:33, Florian Schmaus <flo at geekplace.eu> wrote:
>> On 05.03.2018 09:04, Jonas Wielicki wrote:
>>> Dear list,
>>> Florian discovered that the ASCII separators we use, while invalid in XML 1.0 
>>> (upon which RFC 6120 bases), are only discouraged in XML 1.1. 
>>> I wonder whether we should be concerned about this. 
>> I wouldn't be worried, as I'd expect XMPP to stay XML 1.0 for a
>> foreseeable future. If you violate XML 1.0 and accept non well-formed
>> XML 1.0, then it is not really something extension protocols have to
>> consider.
> I’m not convinced I agree with this. If using an XML 1.1 parser would introduce some security hole in a spec it’s definitely something that needs consideration.

Using an XML 1.1 parser with XMPP introduces all sorts of issues, likely
including security issues. I'm not aware of any XEP that discusses or
considers it.

Same is true when sending XML 1.1 which is not well-formed XML 1.0.

It's also not really about XML 1.1: What about implementations using a
parser that accepts data which is neither XML 1.0 or 1.1.? Should we
consider those when designating protocols too? What about
implementations that do no normalize JIDs, which could cause all sorts
of security issues? Where do we draw the line?

In xep390's it is a low hanging fruit to make the protocol more robust
hence I'm not opposed to pick it. But in general I dislike the idea to
consider all sorts of possibly invalid implementation flaws when
designing a protocol. Therefore I would also be happy if xep390 would
simply include a short warning hint that those codepoints are invalid in
XML 1.0 / XMPP, avoiding the namespace bump.

- Florian

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 642 bytes
Desc: OpenPGP digital signature
URL: <http://mail.jabber.org/pipermail/standards/attachments/20180305/d5168419/attachment.sig>

More information about the Standards mailing list