[Full-Disclosure] [ANNOUNCE] kses 0.2.1
From: Härnhammar, Ulf (Ulf.Harnhammar.9485_at_student.uu.se)
Date: 09/29/03
- Previous message: SGI Security Coordinator: "[Full-Disclosure] sendmail prescan() vulnerability on IRIX"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: full-disclosure@lists.netsys.com Date: Mon, 29 Sep 2003 22:08:59 +0200
kses 0.2.1
==========
kses is an HTML/XHTML filter written in PHP. It removes all unwanted HTML
elements and attributes, no matter how malformed HTML input you give it.
It also does several checks on attribute values. kses can be used to avoid
Cross-Site Scripting (XSS), Buffer Overflows and Denial of Service attacks,
among other things.
The program is released under the terms of the GNU General Public License. You
should look into what that means, before using kses in your programs.
* FEATURES *
Some of kses' current features are:
* It will only allow the HTML elements and attributes that it was explicitly
told to allow.
* Element and attribute names are case-insensitive (a href vs A HREF).
* It will understand and process whitespace correctly.
* Attribute values can be surrounded with quotes, apostrophes or nothing.
* It will accept valueless attributes with just names and no values (selected).
* It will accept XHTML's closing " /" marks.
* Attribute values that are surrounded with nothing will get quotes to avoid
producing non-W3C conforming HTML
(<a href=http://sourceforge.net/projects/kses> works but isn't valid HTML).
* It handles lots of types of malformed HTML, by interpreting the existing
code the best it can and then rebuilding new code from it. That's a better
approach than trying to process existing code, as you're bound to forget about
some weird special case somewhere. It handles problems like never-ending
quotes and tags gracefully.
* It will remove additional "<" and ">" characters that people may try to
sneak in somewhere.
* It supports checking attribute values for minimum/maximum length and
minimum/maximum value, to protect against Buffer Overflows and Denial of
Service attacks against WWW clients and various servers. You can stop
<iframe src= width= height=> from having too high values for width and height,
for instance.
* It has got a system for whitelisting URL protocols. You can say that
attribute values may only start with http:, https:, ftp: and gopher:, but no
other URL protocols (javascript:, java:, about:, telnet:..). The functions that
do this work handle whitespace, upper/lower case, HTML entities
("javascript:") and repeated entries ("javascript:javascript:alert(57)").
It also normalizes HTML entities as a nice side effect.
* It removes Netscape 4's JavaScript entities ("&{alert(57)};").
* It handles NULL bytes and Opera's chr(173) whitespace characters.
* There is both a procedural version and an object-oriented version of kses.
* NEW IN 0.2.1 *
The 0.2.1 release adds a new object-oriented version of kses, three new
attribute value checks (minlen, minval and valueless), a work-around for an
Opera "feature" that treats chr(173) as whitespace, and some other minor
changes.
* HOMEPAGE *
Download kses and subscribe to its kses-general mailing list at
http://sourceforge.net/projects/kses ..
* IRC KIDDIES *
K: h3y u wr0t3 ab0ut xss and n0t buff3r 0v3rfl0wz, s0 ur n0t truly 31337!!!
haha! ph3ar my 31337 3gr3p(1) sk1llzZz!!!!11!1!!1
U: Virgin.
-- Ulf Härnhammar, student, Uppsala Universitet "Did you ever fall in love? / For a quarter of an hour or above?" -- Ladytron, "Another Breakfast with You" På spaning efter den webbransch som flytt http://home.student.uu.se/ulha9485/text/webbransch.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
- Previous message: SGI Security Coordinator: "[Full-Disclosure] sendmail prescan() vulnerability on IRIX"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
