[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kopete-devel
Subject:    [kopete-devel] Re: Adium_JS
From:       Richard Smith <kde () metafoo ! co ! uk>
Date:       2005-02-20 23:49:02
Message-ID: 200502202349.03276.kde () metafoo ! co ! uk
[Download RAW message or body]

On Friday 18 February 2005 03:21, Jason Keirstead wrote:
> New Adium JS style. The patch I sent into the list was wrong again - it is
>  simpler to just commit and if some people really hate it then revert.
>
> I encourage everyone to try and compare Adium_JS to Adium. If the new style
>  suffices, we can get rid of the other Adium and use this one only.

I've not tried it, but I'm not happy about it in principle. Here's why:

We're introducing another new type of chatwindow style. I wasn't overly 
pleased about TRANSFORM_ALL_MESSAGES, but the pragmatist in me overruled my 
concerns. Now we have three different modes, things are getting out of hand. 
Plus there are extra security implications exposed by allowing remote users 
to execute arbitrary JavaScript on our client.

[Don't-allow-JavaScript rant]
Don't tell me our protocols are secure against this - I know for some of them 
we used to just throw regexes at the data the server sent, and for all I know 
we still too, plus we can't guarantee the security of messages from 
externally-developed protocol plugins. And don't tell me JavaScript isn't a 
problem - there are numerous JavaScript exploits discovered every year, and 
once you've found one, the single biggest remaining problem is to get your JS 
code executed. And don't tell me no-one's going to target Kopete - once you 
have a KJS exploit, who would you target?
[/rant]

Instead of this crazy situation, why don't we replace our three types of style 
with two:

1) A normal XSLT style, like we used to have and still have.
2) A new XSLT style, where the Kopete code does Adium-style groupings first, 
in an intelligent fashion, retransforming the most recent group every time 
it's updated.

This ought to be straightforward to implement, no JavaScript is required, no 
transforming all messages making Adium-style too slow, just a robust, 
efficient solution.

Arguments for/against, please.
-- 
Thanks,
Richard
_______________________________________________
kopete-devel mailing list
kopete-devel@kde.org
https://mail.kde.org/mailman/listinfo/kopete-devel
[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic