search

xmppo / node-xmpp-bosh

An XMPP BOSH & WebSocket server (connection manager) written on node.js using Javascript
https://github.com/xmppo/node-xmpp-bosh
263 stars 85 forks source link

<?xml version='1.0'?> #26

Closed vinnitu closed 12 years ago

vinnitu commented 12 years ago

One of php jabber-client use SimpleXML class to build xmpp stanza and SimpleXMLElement::asXML() function to get result string, but always return preambula <?xml version='1.0'?> at begin

and in node-xmpp-bosh next construction not working properly

<dummy><?xml version='1.0'?><bla>bla</bla></dummy>

because dummy is not valid xml element, and that is why developers make dirty hack with

s = substr(s, strlen('<?xml version='1.0'?>');

but ejabberd_http_bind hasn't such trouble

So... What do you think about?

dhruvbird commented 12 years ago

The line "<?xml version='1.0'?>" should probably be present only when a xml doc. starts. I could be wrong though.

vinnitu commented 12 years ago

what is main idea usign dummy wrapper?

dhruvbird commented 12 years ago

to prevent xml entity expansion attack.

dhruvbird commented 12 years ago

Even if we switch to a sax parser for the websocket bit, the xml you paste will be invalid since we just keep continuing the same xml document - which can't have <? xml ... ?> in the middle.