[Standards] OBSOLETED: XEP-0071 (XHTML-IM)

Dave Cridland dave at cridland.net
Thu Mar 8 09:17:48 UTC 2018

On 8 March 2018 at 08:34, Evgeny Khramtsov <xramtsov at gmail.com> wrote:
> TL;DR: I conclude that the only argument is that XML is a bit more
> secure (with possibly less possible holes, lol). So, as I thought, this
> is purely a matter of personal choice and not a technical decision,
> that's why we debated about it so much.

It can be both, you know.

XML's security problems are fairly limited (essentially, entities and
escaping). Because they're highly generic, XML parsers have had
support for preventing the various entities attacks at a low level for
some time, and since these attacks are generic, they're soluble at the
XML parser level.

Embedding user-generated [X]HTML into a web UI is also a well-known
security issue, and the advice from web-devs is simply not to do it -
there are a few libraries to try and make this safe, but the browsers
don't include these, and instead you need to do iframe embedding. As
HTML and CSS standards mutate, you need your library to be constantly
maintained to ensure that security issues stay closed, or be highly
restrictive in what is allowed (and essentially parse the XHTML into
an intermediate state and reassemble only the safe parts).

Whilst there are no extant and ongoing issues with XML, the issues in
XHTML-IM keep cropping up in new web clients.

Those are the technical facts.

The personal choice of Council was to deprecate XHTML-IM based on
these facts. The previous Council decided to ensure there were
alternates for XHTML-IM use-cases instead of deprecating.

These are personal choices.

As a side-note, this doesn't have any impact on embedding XHTML into
XMPP. Just that if what you want is snazzy-looking IM messages, it's
not a sensible way to do it.


More information about the Standards mailing list