diff options
Diffstat (limited to 'mod/kses/vendors/kses/docs')
-rw-r--r-- | mod/kses/vendors/kses/docs/attribute-value-checks | 68 | ||||
-rw-r--r-- | mod/kses/vendors/kses/docs/hooks | 7 | ||||
-rw-r--r-- | mod/kses/vendors/kses/docs/stripping-everything | 7 | ||||
-rw-r--r-- | mod/kses/vendors/kses/docs/supported-formats | 6 | ||||
-rw-r--r-- | mod/kses/vendors/kses/docs/whitelisted-url-protocols | 15 |
5 files changed, 0 insertions, 103 deletions
diff --git a/mod/kses/vendors/kses/docs/attribute-value-checks b/mod/kses/vendors/kses/docs/attribute-value-checks deleted file mode 100644 index 8b0d645ee..000000000 --- a/mod/kses/vendors/kses/docs/attribute-value-checks +++ /dev/null @@ -1,68 +0,0 @@ -kses attribute value checks -=========================== - -As you've probably already read in the README file, an $allowed_html array -normally looks like this: - -$allowed = array('b' => array(), - 'i' => array(), - 'a' => array('href' => 1, - 'title' => 1), - 'p' => array('align' => 1), - 'br' => array()); - -This sets what elements and attributes are allowed. - -From kses 0.2.0, you can also perform some checks on the attribute values. You -do it like this: - -$allowed = array('b' => array(), - 'i' => array(), - 'a' => array('href' => - array('maxlen' => 100), - 'title' => 1), - 'p' => array('align' => 1), - 'font' => array('size' => - array('maxval' => 20)), - 'br' => array()); - -This means that kses should perform the maxlen check with the value 100 on the -<a href=> value, as well as the maxval check with the value 20 on the <font -size=> value. - -The currently implemented checks (with more to come) are 'maxlen', 'maxval', -'minlen', 'minval' and 'valueless'. - -'maxlen' checks that the length of the attribute value is not greater than the -given value. It is helpful against Buffer Overflows in WWW clients and various -servers on the Internet. In my example above, it would mean that -"<a href='ftp://ftp.v1ct1m.com/AAAA..thousands_of_A's...'>" wouldn't be -accepted. - -Of course, this problem is even worse if you put that long URL in a <frame> -tag instead, so the WWW client will fetch it automatically without a user -having to click it. - -'maxval' checks that the attribute value is an integer greater than or equal to -zero, that it doesn't have an unreasonable amount of zeroes or whitespace (to -avoid Buffer Overflows), and that it is not greater than the given value. In -my example above, it would mean that "<font size='20'>" is accepted but -"<font size='21'>" is not. This check helps against Denial of Service attacks -against WWW clients. - -One example of this DoS problem is <iframe src="http://some.web.server/" -width="20000" height="2000">, which makes some client machines completely -overloaded. - -'minlen' and 'minval' works the same as 'maxlen' and 'maxval', except that they -check for minimum lengths and values instead of maximum ones. - -'valueless' checks if an attribute has a value (like <a href="blah">) or not -(<option selected>). If the given value is a "y" or a "Y", the attribute must -not have a value to be accepted. If the given value is an "n" or an "N", the -attribute must have a value. Note that <a href=""> is considered to have a -value, so there's a difference between valueless attributes and attribute -values with the length zero. - -You can combine more than one check, by putting one after the other in the -inner array. diff --git a/mod/kses/vendors/kses/docs/hooks b/mod/kses/vendors/kses/docs/hooks deleted file mode 100644 index 971ff1ca4..000000000 --- a/mod/kses/vendors/kses/docs/hooks +++ /dev/null @@ -1,7 +0,0 @@ -kses hooks -========== - -Sometimes you want to perform one more action on all data that kses will -filter. There is a special function for that purpose called kses_hook(). kses -calls it from its main function kses(), so if you insert some code in -kses_hook(), it will always be called to change all data that kses sees. diff --git a/mod/kses/vendors/kses/docs/stripping-everything b/mod/kses/vendors/kses/docs/stripping-everything deleted file mode 100644 index f11742b7c..000000000 --- a/mod/kses/vendors/kses/docs/stripping-everything +++ /dev/null @@ -1,7 +0,0 @@ -kses stripping everything -========================= - -Sometimes you want to use kses for stripping all (X)HTML tags from a document. -You do it by calling kses like this: - -$doc = kses($doc, array()); diff --git a/mod/kses/vendors/kses/docs/supported-formats b/mod/kses/vendors/kses/docs/supported-formats deleted file mode 100644 index c0a9d9740..000000000 --- a/mod/kses/vendors/kses/docs/supported-formats +++ /dev/null @@ -1,6 +0,0 @@ -kses supported formats -====================== - -It should be noted that kses doesn't deal with any smiley plus newline plus -HTML format. It uses HTML or XHTML, both as input and as output. -Conversions from the preferred format to or from HTML or XHTML is up to you. diff --git a/mod/kses/vendors/kses/docs/whitelisted-url-protocols b/mod/kses/vendors/kses/docs/whitelisted-url-protocols deleted file mode 100644 index a0032c4cc..000000000 --- a/mod/kses/vendors/kses/docs/whitelisted-url-protocols +++ /dev/null @@ -1,15 +0,0 @@ -kses whitelisted URL protocols -============================== - -From kses 0.2.0, it has a function that checks all attribute values for URL -protocols and only allows the protocols given in a whitelist. - -If you call kses the old way with two parameters - a string and an -$allowed_html array - it will take its own default array, which whitelists the -protocols http, https, ftp, news, nntp, telnet, gopher and mailto. Pretty -reasonable, but anyone who wants to change it just calls the kses() function -with a third parameter, like this: - -$string = kses($string, $allowed_html, array('http', 'https')); - -Note that you shouldn't include any colon after http or other protocol names. |