diff options
Diffstat (limited to 'vendors/kses/oop/oop.kses.changelog.txt')
-rw-r--r-- | vendors/kses/oop/oop.kses.changelog.txt | 204 |
1 files changed, 0 insertions, 204 deletions
diff --git a/vendors/kses/oop/oop.kses.changelog.txt b/vendors/kses/oop/oop.kses.changelog.txt deleted file mode 100644 index a82daf4fe..000000000 --- a/vendors/kses/oop/oop.kses.changelog.txt +++ /dev/null @@ -1,204 +0,0 @@ -kses ChangeLog
-==============
-
-KSES5
- * 1.0.2
-KSES4
- * 0.2.2
- - Folded in code from kses 0.2.2.
-
-KSES5
- * 1.0.1rc
-KSES4
- * 0.2.2rc
- - Added SetProtocols() to make protocol replacement a single step
- to fully answer concerns in bug #892477
-
-KSES5
- * 1.0.0
- - Turned many methods private
-
- - Now using __construct default constructor
-
- - Only runs in PHP5 or better
-
- - All method names changed to reflect verb status
-
- - Folded sinlge line functions into calling methods
-
- - Deprecated _hook(), Protocols()
-
- - Added AddProtocols() to replace Protocols()
-
- - Added filterKsesTextHook() to replace _hook()
-
- - Added RemoveProtocol() and RemoveProtocols() to remove protocols
- singly, or batch. This should clear bug #892477
-
- - Version number is 1.0.0
-
-KSES4
- * 0.2.1
- - Synced version number to procedural code
-
- - Deprecated _hook(), Protocols()
-
- - Added AddProtocols() to replace Protocols()
-
- - Added filterKsesTextHook() to replace _hook()
-
- - Added RemoveProtocol() and RemoveProtocols() to remove protocols singly,
- or batch. This should clear bug #892477
-
-OOP
- - Forked code into PHP4 and PHP5 versions. Use '$myKses = new kses[45]'
- from now on.
-
- - Modified code to run in E_STRICT. This should clear bug #918493
-
- - Added phpDoc commenting
-
-OOP
- * 0.0.2
- - Fixed a bug in AddProtocol that wasn't adding new protocols to
- $this->allowed_protocols
-
- - Modified internal methods to correspond to kses 0.2.1 modifications.
-
- - Created a basic test suite that can be run via web or CLI.
-
- - Started CVSing the code.
-
-OOP
- * 0.0.1
- - Turned all the kses_function_name functions to _function_name methods.
-
- - Added a couple of properties (allowed_protocols, allowed_html) with
- $this->allowed_protocols defaulting to the lion's share of usual
- protocols.
-
- - Modified the applicable use of preg_replace() functions to point to
- internal class methods.
-
- - Reduced the parameter list of some methods since internal properties
- are now being used.
-
- - Added "public" methods to set up the allowed protocols and HTML.
-
-Procedural
- * 0.2.1
-
- 0.2.1 was released on the 29th of September 2003.
- It has the following changes:
-
- - There is now an additional version of kses, using the object-oriented
- paradigm. Thanks a lot to Richard R. Vasquez, Jr., who created it!
- Anyone who wants to make functional programming, logical programming or
- spaghetti programming versions of kses as well (or any other programming
- paradigm that you like), go ahead! All the people who like old
- procedural programming for web applications shouldn't despair, though,
- as both versions will be maintained with each release.
-
- - kses now has some new attribute value checks: minlen, minval and
- valueless. See docs/attribute-value-checks for an explanation.
-
- - For some reason, the Opera developers decided to make chr(173) a
- whitespace character in URL protocols, both when it occurs raw and in an
- entity. kses now handles this.
-
- - The URL protocol whitelisting system now decodes entities before
- removing NULLs and whitespaces.
-
-Procedural
- * 0.2.0
-
- 0.2.0 was released on the 25th of July 2003.
- It has the following changes:
-
- - kses now supports checking of attribute values, and not just element
- names and attribute names. The attribute value checks that exist so far
- are 'maxlen' (checks how long attribute values are, to avoid Buffer
- Overflows) and 'maxval' (checks how big an integer value is, to avoid
- Denial of Service attacks).
-
- Buffer Overflows could both be a problem for WWW clients and different
- servers on the Internet that an HTML document links to. One example is
- <frame src="ftp://ftp.v1ct1m.com/AAAAAA..thousands_of_A's...">.
-
- Denial of Service attacks can take the form of too big sizes of iframes
- or other things. One example is <iframe src="http://some.web.server/"
- width="20000" height="2000">, which makes some client machines
- completely overloaded.
-
- - kses' old feature of removing "javascript:" from attribute values has
- been improved. It now has a whole system for white listing of URL
- protocols, so you can specify that it's acceptable with http:, https:,
- ftp: and gopher:, but no other protocols in attribute values. The system
- tries pretty hard to do the right thing with whitespace, upper/lower
- case, HTML entities ("javascript:") and repeated entries
- ("javascript:javascript:alert(57)").
-
- - kses now supports both HTML and XHTML code, by allowing " /" at the end
- of tags.
-
- - kses now removes Netscape 4's JavaScript entities, having the form
- "&{alert(57)};". They don't even seem to work on all versions of
- Netscape 4, but for completeness' sake it seemed like a good feature to
- add.
-
- - A bug with NULLs in javascript: URLs was fixed.
- (Reported by Simon Cornelius P. Umacob - thanks!)
-
- - As a nice side effect of the white listing of URL protocols, kses now
- also normalizes all HTML entities in documents. It will change HTML code
- with bad entities to the right form, for example "AT&T" will be
- converted to "AT&T" and "<a href='lyrics.php?band=ladytron&lyrics=
- playgirl'>" will be converted to "<a href='lyrics.php?band=
- ladytron&lyrics=playgirl'>". ":" will be converted to
- ":", "&#XYZZY;" will be converted to "&#XYZZY;", "ä!;" will
- be converted to "&auml!;" and so on.
-
- As shown above, it will process HTML entities that it doesn't
- understand. It will also deal with too big numbers in numeric HTML
- entities, which is helpful as many browsers seem to wrap them around at
- 2 ** 32, so the characters 58, 58 + (2 ** 32), 58 + (2 ** 64) etcetera
- are all colons to the web browser.
-
- - You can now use upper case letters in your $allowed_html array, in
- element names, attribute names and attribute value check names. Version
- 0.1.0 required everything in that array to be in lower case, but that's
- not necessary any more. You can also use upper case letters in
- $allowed_protocols.
-
- - The "Really malformed thing" bug from the TODO file was fixed.
- It used to convert this string:
- x > 5 <a href="blah">
- to:
- x > 5 <a href="blah">
- and now it converts it to:
- x > 5 <a href="blah">
-
- - The "Weird malformed thing" bug from the TODO file was fixed.
- It used to convert this string:
- <a href="5 href=6>
- to:
- <a href="6">
- because of the way kses restarts after a parse error in kses_hair().
- Now it converts it to:
- <a>
-
- - A problem with slashes in HTML tags was fixed.
-
- - examples/filter.php used to use $SCRIPT_NAME, which doesn't work on
- Windows.
- (Reported by Simon Cornelius P. Umacob - thanks!)
-
- - kses now allows dashes in attribute names, for things like
- <meta http-equiv=..>.
-
-Procedural
- * 0.1.0, first public version
-
- 0.1.0 was released on the 9th of June 2003.
- It was announced on three security related mailing lists on Friday the
- 13th of June (nothing bad happened to it though).
|