Poll (was: [otr-dev] OTR with Jabber/XMPP)

Rüdiger Kuhlmann l-otr.0705+23jv-l at ruediger-kuhlmann.de
Mon Feb 25 19:29:25 EST 2008


Hi,

>--[Ian Goldberg]--<ian at cypherpunks.ca>
> On Sat, Feb 02, 2008 at 03:47:43PM +0100, Timo Engel wrote:
> > It should not be task of the receiving plugin to remove HTML tags. For
> > that reason a XMPP messages has a body-element where html content is
> > not allowed and the optional html-element with XHTML markup.
> No, it really should be.  Suppose the OTR specification said that the
> plaintext should first be rot-13 encoded before being encrypted.  The
> receiving OTR plugin would then be responsible for rot-13 decoding
> before passing the plaintext up to the application.  Similarly, since
> the OTR specification says that the plaintext can have HTML-markup, it's
> up to the receiving OTR plugin to handle that before passing it up to
> the receiving application.  For some receiving applications, this is
> easy, since nothing has to be done.  For others, the markup needs to be
> stripped.
> The XMPP specification says that there must be no html content in the
> body-element, which is in fact what happens; the body-element is
> base64-encoded ciphertext with no markup (on the ciphertext).

I re-read the specification. The XMPP specification says that the body
element may not contain HTML markup (for this, specific nodes are created),
and contains the plain text message. The documentation of libOTR (in
particular, the README) specifies that the usage of libOTR for sending a
message consists of letting libOTR munge the message to be sent; there is no
mentioning of stripping HTML tags for either sending or receiving. From this
it follows that the text put into the XMPP body tag may not contain
encrypted data from plaintext that contains markup. So there is plainly a
bug in Pidgin if it does so. What it produces maybe technically a correct
XMPP message, and the encrypted data is technically a correct OTR stream,
but the combination is still incorrect.

Note that the only place in the specification that says anything about
markup in the message (chapter "Data Message") is of no relevance here,
for the obvious reason that of course a plaintext message may in general
contain markup. There just may be circumstances where this is not the
case.

Here's the question to all plugin developers:

Do you put encrypted HTML tags into the body node of XMPP messages?
(please mention the XMPP client you're involvced with)

-- 
"See, free nations are peaceful nations. Free nations don't attack
 each other. Free nations don't develop weapons of mass destruction."
      - George W. Bush, Milwaukee, Wis., Oct. 3, 2003



More information about the OTR-dev mailing list