diff options
Diffstat (limited to 'vendors/kses/docs/attribute-value-checks')
-rw-r--r-- | vendors/kses/docs/attribute-value-checks | 68 |
1 files changed, 68 insertions, 0 deletions
diff --git a/vendors/kses/docs/attribute-value-checks b/vendors/kses/docs/attribute-value-checks new file mode 100644 index 000000000..8b0d645ee --- /dev/null +++ b/vendors/kses/docs/attribute-value-checks @@ -0,0 +1,68 @@ +kses attribute value checks +=========================== + +As you've probably already read in the README file, an $allowed_html array +normally looks like this: + +$allowed = array('b' => array(), + 'i' => array(), + 'a' => array('href' => 1, + 'title' => 1), + 'p' => array('align' => 1), + 'br' => array()); + +This sets what elements and attributes are allowed. + +From kses 0.2.0, you can also perform some checks on the attribute values. You +do it like this: + +$allowed = array('b' => array(), + 'i' => array(), + 'a' => array('href' => + array('maxlen' => 100), + 'title' => 1), + 'p' => array('align' => 1), + 'font' => array('size' => + array('maxval' => 20)), + 'br' => array()); + +This means that kses should perform the maxlen check with the value 100 on the +<a href=> value, as well as the maxval check with the value 20 on the <font +size=> value. + +The currently implemented checks (with more to come) are 'maxlen', 'maxval', +'minlen', 'minval' and 'valueless'. + +'maxlen' checks that the length of the attribute value is not greater than the +given value. It is helpful against Buffer Overflows in WWW clients and various +servers on the Internet. In my example above, it would mean that +"<a href='ftp://ftp.v1ct1m.com/AAAA..thousands_of_A's...'>" wouldn't be +accepted. + +Of course, this problem is even worse if you put that long URL in a <frame> +tag instead, so the WWW client will fetch it automatically without a user +having to click it. + +'maxval' checks that the attribute value is an integer greater than or equal to +zero, that it doesn't have an unreasonable amount of zeroes or whitespace (to +avoid Buffer Overflows), and that it is not greater than the given value. In +my example above, it would mean that "<font size='20'>" is accepted but +"<font size='21'>" is not. This check helps against Denial of Service attacks +against WWW clients. + +One example of this DoS problem is <iframe src="http://some.web.server/" +width="20000" height="2000">, which makes some client machines completely +overloaded. + +'minlen' and 'minval' works the same as 'maxlen' and 'maxval', except that they +check for minimum lengths and values instead of maximum ones. + +'valueless' checks if an attribute has a value (like <a href="blah">) or not +(<option selected>). If the given value is a "y" or a "Y", the attribute must +not have a value to be accepted. If the given value is an "n" or an "N", the +attribute must have a value. Note that <a href=""> is considered to have a +value, so there's a difference between valueless attributes and attribute +values with the length zero. + +You can combine more than one check, by putting one after the other in the +inner array. |