1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
|
kses ChangeLog
==============
* 0.2.2 and 0.2.2-rc1
0.2.2 was released on the 7th of February 2005. We also had a release
candidate, 0.2.2-rc1, that was released on the 30th of January 2005.
I (Ulf) am sorry for this long delay, but I lost interest in kses for a
while and worked on auditing C/C++ code for buffer overflows and format
string bugs in the Debian Security Audit Project instead
( http://www.debian.org/security/audit/ ).
This version has the following changes:
- Richard contributed an additional object-oriented kses version for
PHP 5, which takes advantage of that PHP version's improved object
orientation. You can find it in the oop/ directory.
- Richard added RemoveProtocol(), RemoveProtocols() and SetProtocols()
methods to both object-oriented kses versions. This closes SourceForge
bug #892477.
- Richard also did other smaller changes to the object-oriented kses
versions. See oop/oop.kses.changelog.txt for the gory details.
- The code that checks whether used elements and attributes are allowed
now uses isset() to avoid notices under certain configurations. This
hopefully closes SourceForge bug #918493.
- The check for the Opera extra whitespace character #173 was moved so
it only affects attribute values and nothing else. This is helpful for
Asian kses users, who use that character in writing. (This is just a
temporary solution. A better one will show up in the next version, when
the parser is rewritten.) This closes SourceForge bug #834645, kind of.
- Now the program will not even look at attributes and closing XHTML
slashes for closing HTML elements. This will make kses execute faster
and it won't accept atrocities like </br /> anymore.
- Moved references in examples/test.php from function calls to the function
definition, making it better PHP.
- The output of examples/test.php and examples/filter.php now conform fully
to W3C's HTML specification.
- From now on, kses releases will be distributed both as .tar.gz and .zip
archives to please our Wintendo users. This closes SourceForge feature
request #900380.
- Changed to new copyright year and paper mail address.
* 0.2.1
0.2.1 was released on the 29th of September 2003.
It has the following changes:
- There is now an additional version of kses, using the object-oriented
paradigm. Thanks a lot to Richard R. Vasquez, Jr., who created it! Anyone
who wants to make functional programming, logical programming or spaghetti
programming versions of kses as well (or any other programming paradigm that
you like), go ahead! All the people who like old procedural programming for
web applications shouldn't despair, though, as both versions will be
maintained with each release.
- kses now has some new attribute value checks: minlen, minval and valueless.
See docs/attribute-value-checks for an explanation.
- For some reason, the Opera developers decided to make chr(173) a whitespace
character in URL protocols, both when it occurs raw and in an entity. kses
now handles this.
- The URL protocol whitelisting system now decodes entities before removing
NULLs and whitespaces.
* 0.2.0
0.2.0 was released on the 25th of July 2003.
It has the following changes:
- kses now supports checking of attribute values, and not just element names
and attribute names. The attribute value checks that exist so far are
'maxlen' (checks how long attribute values are, to avoid Buffer Overflows)
and 'maxval' (checks how big an integer value is, to avoid Denial of Service
attacks).
Buffer Overflows could both be a problem for WWW clients and different
servers on the Internet that an HTML document links to. One example is
<frame src="ftp://ftp.v1ct1m.com/AAAAAA..thousands_of_A's...">.
Denial of Service attacks can take the form of too big sizes of iframes or
other things. One example is <iframe src="http://some.web.server/"
width="20000" height="2000">, which makes some client machines completely
overloaded.
- kses' old feature of removing "javascript:" from attribute values has been
improved. It now has a whole system for white listing of URL protocols, so
you can specify that it's acceptable with http:, https:, ftp: and gopher:,
but no other protocols in attribute values. The system tries pretty hard to
do the right thing with whitespace, upper/lower case, HTML entities
("javascript:") and repeated entries ("javascript:javascript:alert(57)").
- kses now supports both HTML and XHTML code, by allowing " /" at the end of
tags.
- kses now removes Netscape 4's JavaScript entities, having the form
"&{alert(57)};". They don't even seem to work on all versions of Netscape 4,
but for completeness' sake it seemed like a good feature to add.
- A bug with NULLs in javascript: URLs was fixed.
(Reported by Simon Cornelius P. Umacob - thanks!)
- As a nice side effect of the white listing of URL protocols, kses now also
normalizes all HTML entities in documents. It will change HTML code with bad
entities to the right form, for example "AT&T" will be converted to
"AT&T" and "<a href='lyrics.php?band=ladytron&lyrics=playgirl'>" will be
converted to "<a href='lyrics.php?band=ladytron&lyrics=playgirl'>".
":" will be converted to ":", "&#XYZZY;" will be converted to
"&#XYZZY;", "ä!;" will be converted to "&auml!;" and so on.
As shown above, it will process HTML entities that it doesn't understand.
It will also deal with too big numbers in numeric HTML entities, which is
helpful as many browsers seem to wrap them around at 2 ** 32, so the
characters 58, 58 + (2 ** 32), 58 + (2 ** 64) etcetera are all colons to the
web browser.
- You can now use upper case letters in your $allowed_html array, in element
names, attribute names and attribute value check names. Version 0.1.0
required everything in that array to be in lower case, but that's not
necessary any more. You can also use upper case letters in
$allowed_protocols.
- The "Really malformed thing" bug from the TODO file was fixed.
It used to convert this string:
x > 5 <a href="blah">
to:
x > 5 <a href="blah">
and now it converts it to:
x > 5 <a href="blah">
- The "Weird malformed thing" bug from the TODO file was fixed.
It used to convert this string:
<a href="5 href=6>
to:
<a href="6">
because of the way kses restarts after a parse error in kses_hair(). Now it
converts it to:
<a>
- A problem with slashes in HTML tags was fixed.
- examples/filter.php used to use $SCRIPT_NAME, which doesn't work on
Windows.
(Reported by Simon Cornelius P. Umacob - thanks!)
- kses now allows dashes in attribute names, for things like
<meta http-equiv=..>.
* 0.1.0, first public version
0.1.0 was released on the 9th of June 2003.
It was announced on three security related mailing lists on Friday the 13th
of June (nothing bad happened to it though).
|