|
|
|
kses ChangeLog
|
|
|
|
==============
|
|
|
|
|
|
|
|
KSES5
|
|
|
|
* 1.0.2
|
|
|
|
KSES4
|
|
|
|
* 0.2.2
|
|
|
|
- Folded in code from kses 0.2.2.
|
|
|
|
|
|
|
|
KSES5
|
|
|
|
* 1.0.1rc
|
|
|
|
KSES4
|
|
|
|
* 0.2.2rc
|
|
|
|
- Added SetProtocols() to make protocol replacement a single step
|
|
|
|
to fully answer concerns in bug #892477
|
|
|
|
|
|
|
|
KSES5
|
|
|
|
* 1.0.0
|
|
|
|
- Turned many methods private
|
|
|
|
|
|
|
|
- Now using __construct default constructor
|
|
|
|
|
|
|
|
- Only runs in PHP5 or better
|
|
|
|
|
|
|
|
- All method names changed to reflect verb status
|
|
|
|
|
|
|
|
- Folded sinlge line functions into calling methods
|
|
|
|
|
|
|
|
- Deprecated _hook(), Protocols()
|
|
|
|
|
|
|
|
- Added AddProtocols() to replace Protocols()
|
|
|
|
|
|
|
|
- Added filterKsesTextHook() to replace _hook()
|
|
|
|
|
|
|
|
- Added RemoveProtocol() and RemoveProtocols() to remove protocols
|
|
|
|
singly, or batch. This should clear bug #892477
|
|
|
|
|
|
|
|
- Version number is 1.0.0
|
|
|
|
|
|
|
|
KSES4
|
|
|
|
* 0.2.1
|
|
|
|
- Synced version number to procedural code
|
|
|
|
|
|
|
|
- Deprecated _hook(), Protocols()
|
|
|
|
|
|
|
|
- Added AddProtocols() to replace Protocols()
|
|
|
|
|
|
|
|
- Added filterKsesTextHook() to replace _hook()
|
|
|
|
|
|
|
|
- Added RemoveProtocol() and RemoveProtocols() to remove protocols singly,
|
|
|
|
or batch. This should clear bug #892477
|
|
|
|
|
|
|
|
OOP
|
|
|
|
- Forked code into PHP4 and PHP5 versions. Use '$myKses = new kses[45]'
|
|
|
|
from now on.
|
|
|
|
|
|
|
|
- Modified code to run in E_STRICT. This should clear bug #918493
|
|
|
|
|
|
|
|
- Added phpDoc commenting
|
|
|
|
|
|
|
|
OOP
|
|
|
|
* 0.0.2
|
|
|
|
- Fixed a bug in AddProtocol that wasn't adding new protocols to
|
|
|
|
$this->allowed_protocols
|
|
|
|
|
|
|
|
- Modified internal methods to correspond to kses 0.2.1 modifications.
|
|
|
|
|
|
|
|
- Created a basic test suite that can be run via web or CLI.
|
|
|
|
|
|
|
|
- Started CVSing the code.
|
|
|
|
|
|
|
|
OOP
|
|
|
|
* 0.0.1
|
|
|
|
- Turned all the kses_function_name functions to _function_name methods.
|
|
|
|
|
|
|
|
- Added a couple of properties (allowed_protocols, allowed_html) with
|
|
|
|
$this->allowed_protocols defaulting to the lion's share of usual
|
|
|
|
protocols.
|
|
|
|
|
|
|
|
- Modified the applicable use of preg_replace() functions to point to
|
|
|
|
internal class methods.
|
|
|
|
|
|
|
|
- Reduced the parameter list of some methods since internal properties
|
|
|
|
are now being used.
|
|
|
|
|
|
|
|
- Added "public" methods to set up the allowed protocols and HTML.
|
|
|
|
|
|
|
|
Procedural
|
|
|
|
* 0.2.1
|
|
|
|
|
|
|
|
0.2.1 was released on the 29th of September 2003.
|
|
|
|
It has the following changes:
|
|
|
|
|
|
|
|
- There is now an additional version of kses, using the object-oriented
|
|
|
|
paradigm. Thanks a lot to Richard R. Vasquez, Jr., who created it!
|
|
|
|
Anyone who wants to make functional programming, logical programming or
|
|
|
|
spaghetti programming versions of kses as well (or any other programming
|
|
|
|
paradigm that you like), go ahead! All the people who like old
|
|
|
|
procedural programming for web applications shouldn't despair, though,
|
|
|
|
as both versions will be maintained with each release.
|
|
|
|
|
|
|
|
- kses now has some new attribute value checks: minlen, minval and
|
|
|
|
valueless. See docs/attribute-value-checks for an explanation.
|
|
|
|
|
|
|
|
- For some reason, the Opera developers decided to make chr(173) a
|
|
|
|
whitespace character in URL protocols, both when it occurs raw and in an
|
|
|
|
entity. kses now handles this.
|
|
|
|
|
|
|
|
- The URL protocol whitelisting system now decodes entities before
|
|
|
|
removing NULLs and whitespaces.
|
|
|
|
|
|
|
|
Procedural
|
|
|
|
* 0.2.0
|
|
|
|
|
|
|
|
0.2.0 was released on the 25th of July 2003.
|
|
|
|
It has the following changes:
|
|
|
|
|
|
|
|
- kses now supports checking of attribute values, and not just element
|
|
|
|
names and attribute names. The attribute value checks that exist so far
|
|
|
|
are 'maxlen' (checks how long attribute values are, to avoid Buffer
|
|
|
|
Overflows) and 'maxval' (checks how big an integer value is, to avoid
|
|
|
|
Denial of Service attacks).
|
|
|
|
|
|
|
|
Buffer Overflows could both be a problem for WWW clients and different
|
|
|
|
servers on the Internet that an HTML document links to. One example is
|
|
|
|
<frame src="ftp://ftp.v1ct1m.com/AAAAAA..thousands_of_A's...">.
|
|
|
|
|
|
|
|
Denial of Service attacks can take the form of too big sizes of iframes
|
|
|
|
or other things. One example is <iframe src="http://some.web.server/"
|
|
|
|
width="20000" height="2000">, which makes some client machines
|
|
|
|
completely overloaded.
|
|
|
|
|
|
|
|
- kses' old feature of removing "javascript:" from attribute values has
|
|
|
|
been improved. It now has a whole system for white listing of URL
|
|
|
|
protocols, so you can specify that it's acceptable with http:, https:,
|
|
|
|
ftp: and gopher:, but no other protocols in attribute values. The system
|
|
|
|
tries pretty hard to do the right thing with whitespace, upper/lower
|
|
|
|
case, HTML entities ("javascript:") and repeated entries
|
|
|
|
("javascript:javascript:alert(57)").
|
|
|
|
|
|
|
|
- kses now supports both HTML and XHTML code, by allowing " /" at the end
|
|
|
|
of tags.
|
|
|
|
|
|
|
|
- kses now removes Netscape 4's JavaScript entities, having the form
|
|
|
|
"&{alert(57)};". They don't even seem to work on all versions of
|
|
|
|
Netscape 4, but for completeness' sake it seemed like a good feature to
|
|
|
|
add.
|
|
|
|
|
|
|
|
- A bug with NULLs in javascript: URLs was fixed.
|
|
|
|
(Reported by Simon Cornelius P. Umacob - thanks!)
|
|
|
|
|
|
|
|
- As a nice side effect of the white listing of URL protocols, kses now
|
|
|
|
also normalizes all HTML entities in documents. It will change HTML code
|
|
|
|
with bad entities to the right form, for example "AT&T" will be
|
|
|
|
converted to "AT&T" and "<a href='lyrics.php?band=ladytron&lyrics=
|
|
|
|
playgirl'>" will be converted to "<a href='lyrics.php?band=
|
|
|
|
ladytron&lyrics=playgirl'>". ":" will be converted to
|
|
|
|
":", "&#XYZZY;" will be converted to "&#XYZZY;", "ä!;" will
|
|
|
|
be converted to "&auml!;" and so on.
|
|
|
|
|
|
|
|
As shown above, it will process HTML entities that it doesn't
|
|
|
|
understand. It will also deal with too big numbers in numeric HTML
|
|
|
|
entities, which is helpful as many browsers seem to wrap them around at
|
|
|
|
2 ** 32, so the characters 58, 58 + (2 ** 32), 58 + (2 ** 64) etcetera
|
|
|
|
are all colons to the web browser.
|
|
|
|
|
|
|
|
- You can now use upper case letters in your $allowed_html array, in
|
|
|
|
element names, attribute names and attribute value check names. Version
|
|
|
|
0.1.0 required everything in that array to be in lower case, but that's
|
|
|
|
not necessary any more. You can also use upper case letters in
|
|
|
|
$allowed_protocols.
|
|
|
|
|
|
|
|
- The "Really malformed thing" bug from the TODO file was fixed.
|
|
|
|
It used to convert this string:
|
|
|
|
x > 5 <a href="blah">
|
|
|
|
to:
|
|
|
|
x > 5 <a href="blah">
|
|
|
|
and now it converts it to:
|
|
|
|
x > 5 <a href="blah">
|
|
|
|
|
|
|
|
- The "Weird malformed thing" bug from the TODO file was fixed.
|
|
|
|
It used to convert this string:
|
|
|
|
<a href="5 href=6>
|
|
|
|
to:
|
|
|
|
<a href="6">
|
|
|
|
because of the way kses restarts after a parse error in kses_hair().
|
|
|
|
Now it converts it to:
|
|
|
|
<a>
|
|
|
|
|
|
|
|
- A problem with slashes in HTML tags was fixed.
|
|
|
|
|
|
|
|
- examples/filter.php used to use $SCRIPT_NAME, which doesn't work on
|
|
|
|
Windows.
|
|
|
|
(Reported by Simon Cornelius P. Umacob - thanks!)
|
|
|
|
|
|
|
|
- kses now allows dashes in attribute names, for things like
|
|
|
|
<meta http-equiv=..>.
|
|
|
|
|
|
|
|
Procedural
|
|
|
|
* 0.1.0, first public version
|
|
|
|
|
|
|
|
0.1.0 was released on the 9th of June 2003.
|
|
|
|
It was announced on three security related mailing lists on Friday the
|
|
|
|
13th of June (nothing bad happened to it though).
|