aboutsummaryrefslogtreecommitdiff
path: root/vendors/kses/oop/oop.kses.changelog.txt
blob: a82daf4febe7323630b3326742ff3b3178008eb9 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
kses ChangeLog
==============

KSES5
	* 1.0.2
KSES4
	* 0.2.2
	- Folded in code from kses 0.2.2.

KSES5
	* 1.0.1rc
KSES4
	* 0.2.2rc
	- Added SetProtocols() to make protocol replacement a single step
	  to fully answer concerns in bug #892477
	  
KSES5
	* 1.0.0
	- Turned many methods private
	
	- Now using __construct default constructor
	
	- Only runs in PHP5 or better
	
	- All method names changed to reflect verb status
	
	- Folded sinlge line functions into calling methods
	
	- Deprecated _hook(), Protocols()
	
	- Added AddProtocols() to replace Protocols()
	
	- Added filterKsesTextHook() to replace _hook()
	
	- Added RemoveProtocol() and RemoveProtocols() to remove protocols
	  singly, or batch.  This should clear bug #892477

	- Version number is 1.0.0

KSES4
	* 0.2.1
	- Synced version number to procedural code
	
	- Deprecated _hook(), Protocols()
	
	- Added AddProtocols() to replace Protocols()
	
	- Added filterKsesTextHook() to replace _hook()
	
	- Added RemoveProtocol() and RemoveProtocols() to remove protocols singly,
	  or batch.  This should clear bug #892477

OOP
	- Forked code into PHP4 and PHP5 versions.  Use '$myKses = new kses[45]'
	  from now on.
	
	- Modified code to run in E_STRICT.  This should clear bug #918493
	
	- Added phpDoc commenting

OOP
	* 0.0.2
	- Fixed a bug in AddProtocol that wasn't adding new protocols to
	  $this->allowed_protocols

	- Modified internal methods to correspond to kses 0.2.1 modifications.

	- Created a basic test suite that can be run via web or CLI.

	- Started CVSing the code.

OOP
	* 0.0.1
	- Turned all the kses_function_name functions to _function_name methods.

	- Added a couple of properties (allowed_protocols, allowed_html) with
	  $this->allowed_protocols defaulting to the lion's share of usual
	  protocols.

	- Modified the applicable use of preg_replace() functions to point to
	  internal class methods.

	- Reduced the parameter list of some methods since internal properties
	  are now being used.

	- Added "public" methods to set up the allowed protocols and HTML.

Procedural
	* 0.2.1

	0.2.1 was released on the 29th of September 2003.
	It has the following changes:

	- There is now an additional version of kses, using the object-oriented
	  paradigm. Thanks a lot to Richard R. Vasquez, Jr., who created it!
	  Anyone who wants to make functional programming, logical programming or
	  spaghetti programming versions of kses as well (or any other programming
	  paradigm that you like), go ahead! All the people who like old
	  procedural programming for web applications shouldn't despair, though,
	  as both versions will be maintained with each release.

	- kses now has some new attribute value checks: minlen, minval and
	  valueless.  See docs/attribute-value-checks for an explanation.

	- For some reason, the Opera developers decided to make chr(173) a
	  whitespace character in URL protocols, both when it occurs raw and in an
	  entity. kses now handles this.

	- The URL protocol whitelisting system now decodes entities before
	  removing NULLs and whitespaces.

Procedural
	* 0.2.0

	0.2.0 was released on the 25th of July 2003.
	It has the following changes:

	- kses now supports checking of attribute values, and not just element
	  names and attribute names. The attribute value checks that exist so far
	  are 'maxlen' (checks how long attribute values are, to avoid Buffer
	  Overflows) and 'maxval' (checks how big an integer value is, to avoid
	  Denial of Service attacks).

	  Buffer Overflows could both be a problem for WWW clients and different
	  servers on the Internet that an HTML document links to. One example is
	  <frame src="ftp://ftp.v1ct1m.com/AAAAAA..thousands_of_A's...">.

	  Denial of Service attacks can take the form of too big sizes of iframes
	  or other things. One example is <iframe src="http://some.web.server/"
	  width="20000" height="2000">, which makes some client machines
	  completely overloaded.

	- kses' old feature of removing "javascript:" from attribute values has
	  been improved. It now has a whole system for white listing of URL
	  protocols, so you can specify that it's acceptable with http:, https:,
	  ftp: and gopher:, but no other protocols in attribute values. The system
	  tries pretty hard to do the right thing with whitespace, upper/lower
	  case, HTML entities ("jav&#97;script:") and repeated entries
	  ("javascript:javascript:alert(57)").

	- kses now supports both HTML and XHTML code, by allowing " /" at the end
	  of tags.

	- kses now removes Netscape 4's JavaScript entities, having the form
	  "&{alert(57)};". They don't even seem to work on all versions of
	  Netscape 4, but for completeness' sake it seemed like a good feature to
	  add.

	- A bug with NULLs in javascript: URLs was fixed.
	  (Reported by Simon Cornelius P. Umacob - thanks!)

	- As a nice side effect of the white listing of URL protocols, kses now
	  also normalizes all HTML entities in documents. It will change HTML code
	  with bad entities to the right form, for example "AT&T" will be
	  converted to "AT&amp;T" and "<a href='lyrics.php?band=ladytron&lyrics=
	  playgirl'>" will be converted to "<a href='lyrics.php?band=
	  ladytron&amp;lyrics=playgirl'>". "&#000058;" will be converted to
	  "&#58;", "&#XYZZY;" will be converted to "&amp;#XYZZY;", "&auml!;" will
	  be converted to "&amp;auml!;" and so on.

	  As shown above, it will process HTML entities that it doesn't
	  understand.  It will also deal with too big numbers in numeric HTML
	  entities, which is helpful as many browsers seem to wrap them around at
	  2 ** 32, so the characters 58, 58 + (2 ** 32), 58 + (2 ** 64) etcetera
	  are all colons to the web browser.

	- You can now use upper case letters in your $allowed_html array, in
	  element names, attribute names and attribute value check names. Version
	  0.1.0 required everything in that array to be in lower case, but that's
	  not necessary any more. You can also use upper case letters in
	  $allowed_protocols.

	- The "Really malformed thing" bug from the TODO file was fixed.
	  It used to convert this string:
	  x > 5 <a href="blah">
	  to:
	  x &gt; 5 &lt;a href=&quot;blah&quot;&gt;
	  and now it converts it to:
	  x &gt; 5 <a href="blah">

	- The "Weird malformed thing" bug from the TODO file was fixed.
	  It used to convert this string:
	  <a href="5 href=6>
	  to:
	  <a href="6">
	  because of the way kses restarts after a parse error in kses_hair().
	  Now it converts it to:
	  <a>

	- A problem with slashes in HTML tags was fixed.

	- examples/filter.php used to use $SCRIPT_NAME, which doesn't work on
	  Windows.
	  (Reported by Simon Cornelius P. Umacob - thanks!)

	- kses now allows dashes in attribute names, for things like
	  <meta http-equiv=..>.

Procedural
	* 0.1.0, first public version

	0.1.0 was released on the 9th of June 2003.
	It was announced on three security related mailing lists on Friday the
	13th of June (nothing bad happened to it though).