mirror of
https://github.com/moparisthebest/xeps
synced 2024-11-21 08:45:04 -05:00
XEP-0071: make security considations much clearer
This commit is contained in:
parent
746cbc7f38
commit
41778634cc
@ -36,6 +36,12 @@
|
|||||||
<url>http://www.xmpp.org/schemas/xhtml-im-model.xsd</url>
|
<url>http://www.xmpp.org/schemas/xhtml-im-model.xsd</url>
|
||||||
</schemaloc>
|
</schemaloc>
|
||||||
&stpeter;
|
&stpeter;
|
||||||
|
<revision>
|
||||||
|
<version>1.5.2</version>
|
||||||
|
<date>2017-10-12</date>
|
||||||
|
<initials>jwi</initials>
|
||||||
|
<remark><p>Clarify security considerations.</p></remark>
|
||||||
|
</revision>
|
||||||
<revision>
|
<revision>
|
||||||
<version>1.5.1</version>
|
<version>1.5.1</version>
|
||||||
<date>2016-01-05</date>
|
<date>2016-01-05</date>
|
||||||
@ -838,7 +844,8 @@ That seems fine to me.
|
|||||||
</section1>
|
</section1>
|
||||||
<section1 topic='Security Considerations' anchor='security'>
|
<section1 topic='Security Considerations' anchor='security'>
|
||||||
<section2 topic='Malicious Objects' anchor='security-code'>
|
<section2 topic='Malicious Objects' anchor='security-code'>
|
||||||
<p>The exclusion of scripts, applets, binary objects, and other potentially executable code from XHTML-IM reduces the risk of exposure to harmful or malicious objects caused by inclusion of XHTML content. To further reduce the risk of such exposure, an implementation MAY choose to:</p>
|
<p>While scripts, applets, binary objects and other potentially executable code is excluded from the profiles used in XHTML-IM, malicious entities still may inject those and thus exploit entities which rely on this exclusion. Entities thus MUST assume that inbound XHTML-IM may be mailicious and MUST sanitize it according to the profile used, by ignoring elements and removing attributes as needed.</p>
|
||||||
|
<p>To further reduce the risk of such exposure, an implementation MAY choose to:</p>
|
||||||
<ul>
|
<ul>
|
||||||
<li>Not make hyperlinks clickable</li>
|
<li>Not make hyperlinks clickable</li>
|
||||||
<li>Not fetch or present images but instead show only the 'alt' text.</li>
|
<li>Not fetch or present images but instead show only the 'alt' text.</li>
|
||||||
|
Loading…
Reference in New Issue
Block a user