[nycphp-talk] KSES 0.2.1 : XHTML filter in PHP
jon baer
jonbaer at jonbaer.net
Mon Sep 29 17:36:00 EDT 2003
----- Original Message -----
From: <Härnhammar>; "Ulf" <Ulf.Harnhammar.9485 at student.uu.se>
To: <full-disclosure at lists.netsys.com>
Cc: <bugtraq at securityfocus.com>
Sent: Monday, September 29, 2003 4:08 PM
Subject: [ANNOUNCE] kses 0.2.1
> kses 0.2.1
> ==========
>
>
> kses is an HTML/XHTML filter written in PHP. It removes all unwanted HTML
> elements and attributes, no matter how malformed HTML input you give it.
> It also does several checks on attribute values. kses can be used to avoid
> Cross-Site Scripting (XSS), Buffer Overflows and Denial of Service
attacks,
> among other things.
>
> The program is released under the terms of the GNU General Public License.
You
> should look into what that means, before using kses in your programs.
>
>
> * FEATURES *
>
>
> Some of kses' current features are:
>
> * It will only allow the HTML elements and attributes that it was
explicitly
> told to allow.
>
> * Element and attribute names are case-insensitive (a href vs A HREF).
>
> * It will understand and process whitespace correctly.
>
> * Attribute values can be surrounded with quotes, apostrophes or nothing.
>
> * It will accept valueless attributes with just names and no values
(selected).
>
> * It will accept XHTML's closing " /" marks.
>
> * Attribute values that are surrounded with nothing will get quotes to
avoid
> producing non-W3C conforming HTML
> (<a href=http://sourceforge.net/projects/kses> works but isn't valid
HTML).
>
> * It handles lots of types of malformed HTML, by interpreting the existing
> code the best it can and then rebuilding new code from it. That's a better
> approach than trying to process existing code, as you're bound to forget
about
> some weird special case somewhere. It handles problems like never-ending
> quotes and tags gracefully.
>
> * It will remove additional "<" and ">" characters that people may try to
> sneak in somewhere.
>
> * It supports checking attribute values for minimum/maximum length and
> minimum/maximum value, to protect against Buffer Overflows and Denial of
> Service attacks against WWW clients and various servers. You can stop
> <iframe src= width= height=> from having too high values for width and
height,
> for instance.
>
> * It has got a system for whitelisting URL protocols. You can say that
> attribute values may only start with http:, https:, ftp: and gopher:, but
no
> other URL protocols (javascript:, java:, about:, telnet:..). The functions
that
> do this work handle whitespace, upper/lower case, HTML entities
> ("javascript:") and repeated entries
("javascript:javascript:alert(57)").
> It also normalizes HTML entities as a nice side effect.
>
> * It removes Netscape 4's JavaScript entities ("&{alert(57)};").
>
> * It handles NULL bytes and Opera's chr(173) whitespace characters.
>
> * There is both a procedural version and an object-oriented version of
kses.
>
>
> * NEW IN 0.2.1 *
>
>
> The 0.2.1 release adds a new object-oriented version of kses, three new
> attribute value checks (minlen, minval and valueless), a work-around for
an
> Opera "feature" that treats chr(173) as whitespace, and some other minor
> changes.
>
>
> * HOMEPAGE *
>
>
> Download kses and subscribe to its kses-general mailing list at
> http://sourceforge.net/projects/kses ..
>
>
> * IRC KIDDIES *
>
>
> K: h3y u wr0t3 ab0ut xss and n0t buff3r 0v3rfl0wz, s0 ur n0t truly
31337!!!
> haha! ph3ar my 31337 3gr3p(1) sk1llzZz!!!!11!1!!1
>
> U: Virgin.
>
>
> --
> Ulf Härnhammar, student, Uppsala Universitet
> "Did you ever fall in love? / For a quarter of an hour or above?"
> -- Ladytron, "Another Breakfast with You"
> På spaning efter den webbransch som flytt
> http://home.student.uu.se/ulha9485/text/webbransch.html
>
>
More information about the talk
mailing list