<remark><p>Changed MUST to SHOULD regarding inclusion of uri element; allowed inclusion of codecs parameter in type attribute per RFC 4281; added Security Considerations section.</p></remark>
<p>In certain protocols that make use of &xep0004;, it can be helpful to include media data such as small images. One example of such a "using protocol" is &xep0158;. This document defines a method for including media data in a data form.</p>
<p>The root element for media data is <media/>. This element MUST be qualified by the "urn:xmpp:tmp:media-element' namespace &NSNOTE;. The <media/> element MUST be contained within a <field/> element qualified by the 'jabber:x:data' namespace.</p>
<p>If the media is an image or video then the <media/> element SHOULD include 'height' and 'width' attributes specifying the recommended display size of the media in pixels.</p>
<p>The <media/> element SHOULD contain at least one <uri/> element to specify the out-of-band location of the media data. <note>Constrained execution environments prevent some clients (e.g., Web clients) from rendering media unless it has been received out-of-band.</note> If included, the <uri/> element MUST contain a URI that indicates the location and MUST include a 'type' atribute that specifies the MIME type (see &rfc2045;) of the media. The MIME type SHOULD be as registered in the &ianamedia;. The 'type' attribute MAY include the codecs parameter as specified in &rfc4281;, as shown in the example of the "audio/ogg" media type in the example below.</p>
<p>The <media/> element MAY also contain one or more <data/> elements for distributing the media in-band. The <data/> element MUST be qualified by the 'urn:xmpp:tmp:data-element' as defined in &xep0231;. The <em>encoded</em> data SHOULD NOT be larger than 8 kilobytes. <note>If a stanza contains more than one <data/> element, the sending entity MUST take care not to trigger server-defined bandwidth limits.</note></p>
<p>The following example is provided only for the purpose of illustration; consult the specifications for using protocols to see canonical examples.</p>
<examplecaption='Inclusion in Data Form'><![CDATA[
<p>The ability to include arbitrary binary data implies that it is possible to send scripts, applets, images, and executable code, which may be potentially harmful. To reduce the risk of such exposure, an implementation MAY choose to not display or process such data but instead either completely ignore the data, show only the value of the 'alt' attribute (if included), or prompt a human user for approval (either explicitly via user action or implicitly via a list of approved entities from whom the user will accept binary data without per-event approval).</p>
<p>Until this specification advances to a status of Draft, its associated namespace shall be "urn:xmpp:tmp:media-element"; upon advancement of this specification, the ®ISTRAR; shall issue a permanent namespace in accordance with the process defined in Section 4 of &xep0053;.</p>