Closes #833: Kses now built as module

git-svn-id: https://code.elgg.org/elgg/trunk@3222 36083f99-b078-4883-b0ff-0f9b5a30f544

1 files changed, 0 insertions, 204 deletions

diff --git a/vendors/kses/oop/oop.kses.changelog.txt b/vendors/kses/oop/oop.kses.changelog.txt
deleted file mode 100644
index a82daf4fe..000000000
--- a/vendors/kses/oop/oop.kses.changelog.txt
+++ /dev/null
@@ -1,204 +0,0 @@
-kses ChangeLog

-==============

-

-KSES5

-	* 1.0.2

-KSES4

-	* 0.2.2

-	- Folded in code from kses 0.2.2.

-

-KSES5

-	* 1.0.1rc

-KSES4

-	* 0.2.2rc

-	- Added SetProtocols() to make protocol replacement a single step

-	  to fully answer concerns in bug #892477

-	  

-KSES5

-	* 1.0.0

-	- Turned many methods private

-	

-	- Now using __construct default constructor

-	

-	- Only runs in PHP5 or better

-	

-	- All method names changed to reflect verb status

-	

-	- Folded sinlge line functions into calling methods

-	

-	- Deprecated _hook(), Protocols()

-	

-	- Added AddProtocols() to replace Protocols()

-	

-	- Added filterKsesTextHook() to replace _hook()

-	

-	- Added RemoveProtocol() and RemoveProtocols() to remove protocols

-	  singly, or batch.  This should clear bug #892477

-

-	- Version number is 1.0.0

-

-KSES4

-	* 0.2.1

-	- Synced version number to procedural code

-	

-	- Deprecated _hook(), Protocols()

-	

-	- Added AddProtocols() to replace Protocols()

-	

-	- Added filterKsesTextHook() to replace _hook()

-	

-	- Added RemoveProtocol() and RemoveProtocols() to remove protocols singly,

-	  or batch.  This should clear bug #892477

-

-OOP

-	- Forked code into PHP4 and PHP5 versions.  Use '$myKses = new kses[45]'

-	  from now on.

-	

-	- Modified code to run in E_STRICT.  This should clear bug #918493

-	

-	- Added phpDoc commenting

-

-OOP

-	* 0.0.2

-	- Fixed a bug in AddProtocol that wasn't adding new protocols to

-	  $this->allowed_protocols

-

-	- Modified internal methods to correspond to kses 0.2.1 modifications.

-

-	- Created a basic test suite that can be run via web or CLI.

-

-	- Started CVSing the code.

-

-OOP

-	* 0.0.1

-	- Turned all the kses_function_name functions to _function_name methods.

-

-	- Added a couple of properties (allowed_protocols, allowed_html) with

-	  $this->allowed_protocols defaulting to the lion's share of usual

-	  protocols.

-

-	- Modified the applicable use of preg_replace() functions to point to

-	  internal class methods.

-

-	- Reduced the parameter list of some methods since internal properties

-	  are now being used.

-

-	- Added "public" methods to set up the allowed protocols and HTML.

-

-Procedural

-	* 0.2.1

-

-	0.2.1 was released on the 29th of September 2003.

-	It has the following changes:

-

-	- There is now an additional version of kses, using the object-oriented

-	  paradigm. Thanks a lot to Richard R. Vasquez, Jr., who created it!

-	  Anyone who wants to make functional programming, logical programming or

-	  spaghetti programming versions of kses as well (or any other programming

-	  paradigm that you like), go ahead! All the people who like old

-	  procedural programming for web applications shouldn't despair, though,

-	  as both versions will be maintained with each release.

-

-	- kses now has some new attribute value checks: minlen, minval and

-	  valueless.  See docs/attribute-value-checks for an explanation.

-

-	- For some reason, the Opera developers decided to make chr(173) a

-	  whitespace character in URL protocols, both when it occurs raw and in an

-	  entity. kses now handles this.

-

-	- The URL protocol whitelisting system now decodes entities before

-	  removing NULLs and whitespaces.

-

-Procedural

-	* 0.2.0

-

-	0.2.0 was released on the 25th of July 2003.

-	It has the following changes:

-

-	- kses now supports checking of attribute values, and not just element

-	  names and attribute names. The attribute value checks that exist so far

-	  are 'maxlen' (checks how long attribute values are, to avoid Buffer

-	  Overflows) and 'maxval' (checks how big an integer value is, to avoid

-	  Denial of Service attacks).

-

-	  Buffer Overflows could both be a problem for WWW clients and different

-	  servers on the Internet that an HTML document links to. One example is

-	  <frame src="ftp://ftp.v1ct1m.com/AAAAAA..thousands_of_A's...">.

-

-	  Denial of Service attacks can take the form of too big sizes of iframes

-	  or other things. One example is <iframe src="http://some.web.server/"

-	  width="20000" height="2000">, which makes some client machines

-	  completely overloaded.

-

-	- kses' old feature of removing "javascript:" from attribute values has

-	  been improved. It now has a whole system for white listing of URL

-	  protocols, so you can specify that it's acceptable with http:, https:,

-	  ftp: and gopher:, but no other protocols in attribute values. The system

-	  tries pretty hard to do the right thing with whitespace, upper/lower

-	  case, HTML entities ("jav&#97;script:") and repeated entries

-	  ("javascript:javascript:alert(57)").

-

-	- kses now supports both HTML and XHTML code, by allowing " /" at the end

-	  of tags.

-

-	- kses now removes Netscape 4's JavaScript entities, having the form

-	  "&{alert(57)};". They don't even seem to work on all versions of

-	  Netscape 4, but for completeness' sake it seemed like a good feature to

-	  add.

-

-	- A bug with NULLs in javascript: URLs was fixed.

-	  (Reported by Simon Cornelius P. Umacob - thanks!)

-

-	- As a nice side effect of the white listing of URL protocols, kses now

-	  also normalizes all HTML entities in documents. It will change HTML code

-	  with bad entities to the right form, for example "AT&T" will be

-	  converted to "AT&amp;T" and "<a href='lyrics.php?band=ladytron&lyrics=

-	  playgirl'>" will be converted to "<a href='lyrics.php?band=

-	  ladytron&amp;lyrics=playgirl'>". "&#000058;" will be converted to

-	  "&#58;", "&#XYZZY;" will be converted to "&amp;#XYZZY;", "&auml!;" will

-	  be converted to "&amp;auml!;" and so on.

-

-	  As shown above, it will process HTML entities that it doesn't

-	  understand.  It will also deal with too big numbers in numeric HTML

-	  entities, which is helpful as many browsers seem to wrap them around at

-	  2 ** 32, so the characters 58, 58 + (2 ** 32), 58 + (2 ** 64) etcetera

-	  are all colons to the web browser.

-

-	- You can now use upper case letters in your $allowed_html array, in

-	  element names, attribute names and attribute value check names. Version

-	  0.1.0 required everything in that array to be in lower case, but that's

-	  not necessary any more. You can also use upper case letters in

-	  $allowed_protocols.

-

-	- The "Really malformed thing" bug from the TODO file was fixed.

-	  It used to convert this string:

-	  x > 5 <a href="blah">

-	  to:

-	  x &gt; 5 &lt;a href=&quot;blah&quot;&gt;

-	  and now it converts it to:

-	  x &gt; 5 <a href="blah">

-

-	- The "Weird malformed thing" bug from the TODO file was fixed.

-	  It used to convert this string:

-	  <a href="5 href=6>

-	  to:

-	  <a href="6">

-	  because of the way kses restarts after a parse error in kses_hair().

-	  Now it converts it to:

-	  <a>

-

-	- A problem with slashes in HTML tags was fixed.

-

-	- examples/filter.php used to use $SCRIPT_NAME, which doesn't work on

-	  Windows.

-	  (Reported by Simon Cornelius P. Umacob - thanks!)

-

-	- kses now allows dashes in attribute names, for things like

-	  <meta http-equiv=..>.

-

-Procedural

-	* 0.1.0, first public version

-

-	0.1.0 was released on the 9th of June 2003.

-	It was announced on three security related mailing lists on Friday the

-	13th of June (nothing bad happened to it though).