diff options
Diffstat (limited to 'vendors/kses/ChangeLog')
-rw-r--r-- | vendors/kses/ChangeLog | 168 |
1 files changed, 168 insertions, 0 deletions
diff --git a/vendors/kses/ChangeLog b/vendors/kses/ChangeLog new file mode 100644 index 000000000..7102396ce --- /dev/null +++ b/vendors/kses/ChangeLog @@ -0,0 +1,168 @@ +kses ChangeLog +============== + +* 0.2.2 and 0.2.2-rc1 + +0.2.2 was released on the 7th of February 2005. We also had a release +candidate, 0.2.2-rc1, that was released on the 30th of January 2005. + +I (Ulf) am sorry for this long delay, but I lost interest in kses for a +while and worked on auditing C/C++ code for buffer overflows and format +string bugs in the Debian Security Audit Project instead +( http://www.debian.org/security/audit/ ). + +This version has the following changes: + +- Richard contributed an additional object-oriented kses version for + PHP 5, which takes advantage of that PHP version's improved object + orientation. You can find it in the oop/ directory. + +- Richard added RemoveProtocol(), RemoveProtocols() and SetProtocols() + methods to both object-oriented kses versions. This closes SourceForge + bug #892477. + +- Richard also did other smaller changes to the object-oriented kses + versions. See oop/oop.kses.changelog.txt for the gory details. + +- The code that checks whether used elements and attributes are allowed + now uses isset() to avoid notices under certain configurations. This + hopefully closes SourceForge bug #918493. + +- The check for the Opera extra whitespace character #173 was moved so + it only affects attribute values and nothing else. This is helpful for + Asian kses users, who use that character in writing. (This is just a + temporary solution. A better one will show up in the next version, when + the parser is rewritten.) This closes SourceForge bug #834645, kind of. + +- Now the program will not even look at attributes and closing XHTML + slashes for closing HTML elements. This will make kses execute faster + and it won't accept atrocities like </br /> anymore. + +- Moved references in examples/test.php from function calls to the function + definition, making it better PHP. + +- The output of examples/test.php and examples/filter.php now conform fully + to W3C's HTML specification. + +- From now on, kses releases will be distributed both as .tar.gz and .zip + archives to please our Wintendo users. This closes SourceForge feature + request #900380. + +- Changed to new copyright year and paper mail address. + + +* 0.2.1 + +0.2.1 was released on the 29th of September 2003. +It has the following changes: + + +- There is now an additional version of kses, using the object-oriented + paradigm. Thanks a lot to Richard R. Vasquez, Jr., who created it! Anyone + who wants to make functional programming, logical programming or spaghetti + programming versions of kses as well (or any other programming paradigm that + you like), go ahead! All the people who like old procedural programming for + web applications shouldn't despair, though, as both versions will be + maintained with each release. + +- kses now has some new attribute value checks: minlen, minval and valueless. + See docs/attribute-value-checks for an explanation. + +- For some reason, the Opera developers decided to make chr(173) a whitespace + character in URL protocols, both when it occurs raw and in an entity. kses + now handles this. + +- The URL protocol whitelisting system now decodes entities before removing + NULLs and whitespaces. + + +* 0.2.0 + +0.2.0 was released on the 25th of July 2003. +It has the following changes: + + +- kses now supports checking of attribute values, and not just element names + and attribute names. The attribute value checks that exist so far are + 'maxlen' (checks how long attribute values are, to avoid Buffer Overflows) + and 'maxval' (checks how big an integer value is, to avoid Denial of Service + attacks). + + Buffer Overflows could both be a problem for WWW clients and different + servers on the Internet that an HTML document links to. One example is + <frame src="ftp://ftp.v1ct1m.com/AAAAAA..thousands_of_A's...">. + + Denial of Service attacks can take the form of too big sizes of iframes or + other things. One example is <iframe src="http://some.web.server/" + width="20000" height="2000">, which makes some client machines completely + overloaded. + +- kses' old feature of removing "javascript:" from attribute values has been + improved. It now has a whole system for white listing of URL protocols, so + you can specify that it's acceptable with http:, https:, ftp: and gopher:, + but no other protocols in attribute values. The system tries pretty hard to + do the right thing with whitespace, upper/lower case, HTML entities + ("javascript:") and repeated entries ("javascript:javascript:alert(57)"). + +- kses now supports both HTML and XHTML code, by allowing " /" at the end of + tags. + +- kses now removes Netscape 4's JavaScript entities, having the form + "&{alert(57)};". They don't even seem to work on all versions of Netscape 4, + but for completeness' sake it seemed like a good feature to add. + +- A bug with NULLs in javascript: URLs was fixed. + (Reported by Simon Cornelius P. Umacob - thanks!) + +- As a nice side effect of the white listing of URL protocols, kses now also + normalizes all HTML entities in documents. It will change HTML code with bad + entities to the right form, for example "AT&T" will be converted to + "AT&T" and "<a href='lyrics.php?band=ladytron&lyrics=playgirl'>" will be + converted to "<a href='lyrics.php?band=ladytron&lyrics=playgirl'>". + ":" will be converted to ":", "&#XYZZY;" will be converted to + "&#XYZZY;", "ä!;" will be converted to "&auml!;" and so on. + + As shown above, it will process HTML entities that it doesn't understand. + It will also deal with too big numbers in numeric HTML entities, which is + helpful as many browsers seem to wrap them around at 2 ** 32, so the + characters 58, 58 + (2 ** 32), 58 + (2 ** 64) etcetera are all colons to the + web browser. + +- You can now use upper case letters in your $allowed_html array, in element + names, attribute names and attribute value check names. Version 0.1.0 + required everything in that array to be in lower case, but that's not + necessary any more. You can also use upper case letters in + $allowed_protocols. + +- The "Really malformed thing" bug from the TODO file was fixed. + It used to convert this string: + x > 5 <a href="blah"> + to: + x > 5 <a href="blah"> + and now it converts it to: + x > 5 <a href="blah"> + +- The "Weird malformed thing" bug from the TODO file was fixed. + It used to convert this string: + <a href="5 href=6> + to: + <a href="6"> + because of the way kses restarts after a parse error in kses_hair(). Now it + converts it to: + <a> + +- A problem with slashes in HTML tags was fixed. + +- examples/filter.php used to use $SCRIPT_NAME, which doesn't work on + Windows. + (Reported by Simon Cornelius P. Umacob - thanks!) + +- kses now allows dashes in attribute names, for things like + <meta http-equiv=..>. + + +* 0.1.0, first public version + +0.1.0 was released on the 9th of June 2003. +It was announced on three security related mailing lists on Friday the 13th +of June (nothing bad happened to it though). |