MUC Stanza post-processing might unintentionally expose real addresses
Stanzas that are shared in a MUC are typically addressed to semi-anonymous addresses. Instead of the 'real' JID of an occupant a 'room' JID is used (in the form of roomname@conferenceserver/nickname. (Depending on the room configuration, the real JID of a user can be included as well, but that's besides the point for this issue).
When a message is routed, Openfire will replace the room JID for the real JID, just before the message is being delivered to the end client.
Some processing can occur after a stanza is routed (for example, event listeners can be triggered). Unless a defensive copy is made of the stanza, this post-processing operates on the stanza that was delivered to the end-user - where a room JID has been replaced with a real JID. This is undesirable, as it can expose the real JID (for example when the original sender retrieves the message from a message archive).
Routing should not affect the stanza that is being post-processed.
Example of this in the wild:
Here, IDs 5 and 7 are DM stanzas stored in the MUC Archive in the ofMessageArchive table.
Note that the “to” address in the stanzas differ - ID 5 is to a roomJID, where ID 7 is to a realJID