[Standards] XEP-0394: too weak to replace XEP-0071
dave at cridland.net
Fri Mar 16 09:23:24 UTC 2018
On 16 March 2018 at 08:56, Kozlov Konstantin <yagiza at yandex.ru> wrote:
> 16.03.2018, 11:31, "Ненахов Андрей" <andrew.nenakhov at redsolution.ru>:
> btw, I'm new here, what were the reasons for deprecating XEP-0071 ?
> It's a new tradition here: deprecate XEP not because it is bad, but because
> there is a lot of bad implementations around.
> And a lot of bad implementations of XHTML-IM just because using XHTML allows
> lazy developers to use existing HTML parsewrs and engines instead of coding
> their own XHTML parser.
> That sounds at least strangs, but that's the way it goes nowadays in XMPP
You're welcome to join the XSF, stand for (or vote for) Council, and
otherwise try to reverse that decision. Complaining about it on list
won't achieve that.
But in the meantime, my reasons for deprecating were:
* A long and unabated history of security bugs introduced by trying
(and failing) to handle XHTML-IM correctly.
* A mismatch between what people wanted from IM styling (mostly
emphasis, preformatted text) and what XHTML-IM provided (font colours,
* After discussing the security issues with a number of serious web
developers, the advice I got each time was "Don't do that".
Maybe the security issues only affected lazy developers, but (a) There
are a lot of lazy developers, then, and (b) Developers have every
right to be lazy - protocols should be as easy as possible to
implement in a secure manner. Styled IM messages really shouldn't need
to be a security trap for the unwary.
Now, you're welcome to think that was a bad decision, for bad reasons,
and I fully appreciate it's a decision that was quite contentious -
deprecation was rejected by a previous Council after all. But the fact
is that the decision is made, and unless anyone can present something
new that warrants revisiting - and I think that's very unlikely - we
should move forward, and not revisit the past.
The choice now is between XEP-0393 or XEP-0394; I'd suggest that
repeating technical arguments aren't going to make anyone lean one way
or the other, but widespread implementation might.
More information about the Standards