[Standards] OBSOLETED: XEP-0071 (XHTML-IM)

Evgeny Khramtsov xramtsov at gmail.com
Thu Mar 8 08:34:24 UTC 2018

Thu, 08 Mar 2018 08:51:26 +0100
Jonas Wielicki <jonas at wielicki.name> wrote:

> How many XMPP clients have you seen which were owned by Billion
> Laughs (which uses entities which are explicitly forbidden in RFC6120
> and trivial to turn off in all XML parsers I’ve seen so far) compared
> to the amount of XMPP clients Sam has found which were vulnerable to
> XHTML-IM XSS attacks? I think the comparison might not hold up, but
> I’m open for data. (Likewise for any other XML vulnerability.)

I don't know, I didn't count and not going to count them for you. Kids
these days might not remember, but Billion Laughs was pretty serious
vulnerability despite being well known with several implementations
affected. So new XMPP implementations might be vulnerable just easily.

> Also, XML vulnerabilities are both well-known and easy to test
> against (in the sense: it is easy to write an automated test which
> ensures that code is not vulnerable).

And where are those tests?

> I don’t think that’s so trivial with XSS attacks. During the
> XHTML-IM debate I learnt that even CSS can be an XSS vector (in some
> really broken implementations

Sure, and were there debates of possible XML security holes? So the
comparison is not quite fair. Not to mention that it's a logical
fallacy to speculate about possible vulnerabilities: one can say
everything might have security issues.

> In contrast to XML, XHTML-IM is a custom thing which needs to be re-
> implemented in ~every client. Well-known XML libraries exist for most 
> languages (even if they only FFI to libxml2 or libexpat).

Well-known XML libraries didn't protect from Billion Laughs attack. Not
sure what this argument is for.

TL;DR: I conclude that the only argument is that XML is a bit more
secure (with possibly less possible holes, lol). So, as I thought, this
is purely a matter of personal choice and not a technical decision,
that's why we debated about it so much.

More information about the Standards mailing list