[Standards] OBSOLETED: XEP-0071 (XHTML-IM)

Sam Whited sam at samwhited.com
Wed Mar 7 18:40:46 UTC 2018

On Wed, Mar 7, 2018, at 12:33, Kozlov Konstantin wrote:
> So, the only reason to obsolete the XEP is not the XEP itself, but bad
> implementations? 

In a sense. Fixing the existing broken implementation doesn't fix the underlying problem though. It's more about the fact that any tiny mistake when implementing the XEP will likely create a security issue (as we have seen in the real world). Because even if you implement a whitelist (which is technically secure) it is a whitelist on top of a very large, complicated system with many different attack vectors. If you make any sort of mistake when implementing that whitelist, you potentially expose the underlying complicated system (XHTML). If we can build something simpler on top of a less complicated system, we can hopefully avoid some of these issues.


More information about the Standards mailing list