util.xml: Do not allow doctypes, comments or processing instructions
Yes. This is as bad as it sounds. CVE pending.
In Prosody itself, this only affects mod_websocket, which uses util.xml
to parse the <open/> frame, thus allowing unauthenticated remote DoS
using Billion Laughs. However, third-party modules using util.xml may
also be affected by this.
This commit installs handlers which disallow the use of doctype
declarations and processing instructions without any escape hatch. It,
by default, also introduces such a handler for comments, however, there
is a way to enable comments nontheless.
This is because util.xml is used to parse human-facing data, where
comments are generally a desirable feature, and also because comments
are generally harmless.
lxmppd - ...
dia - Greek, 'through', pronounced "dee-ah", root of "dialogue"
metaphor - An imaginative comparison between two actions/objects etc which is not literally applicable.
minstrel - Itinerant medieval musician/singer/story teller/poet.
parody - Imitation of a poem or another poet's style for comic/satiric effect.
poesy - Archaic word for poetry.
Xinshi - Chinese poetic term which literally means 'new poetry'.
polylogue - Many conversations
Thorns thought of:
poe - Derived from "poetry"
poezie - Romanian for "poesy" and "poem"
Elain - Just a cool name
Elane - A variation
Eclaire - Idem (French)
Adel - Random
Younha - Read as "yuna"
Quezacotl - Mayan gods -> google for correct form and pronunciation
Carbuncle - FF8 Guardian Force ^^
Protos - Mars satellite
mins - Derived from minstrel
diapoe - gr. dia + poesy/poetry
xinshi - I like it for a name just like that
loom - The first application I run on the first day of using a computer
Lory - Another name I happen to like
Loki - Nordic god of mischief, IIRC
Luna - Probably taken but I think worth mentioning
Coreo - Random thought
Miria - Also random
Lora - Idem
Kraken - :P
Nebula - .