[TOOL] kses, PHP Based HTML Filter

From: SecuriTeam (support_at_securiteam.com)
Date: 07/28/03

  • Next message: SecuriTeam: "[EXPL] XBlast Local Root Exploit" 
    To: list@securiteam.com
Date: 28 Jul 2003 14:33:11 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      kses, PHP Based HTML Filter
    ------------------------------------------------------------------------

    DETAILS

    kses is an HTML/XHTML filter written in PHP. It removes all unwanted HTML
    elements and attributes, no matter how malformed HTML input you give it.
    It also does several checks on attribute values. kses can be used to avoid
    Cross-Site Scripting (XSS), Buffer Overflows and Denial of Service
    attacks, among other things.

    Some of kses' current features are:
     * It will only allow the HTML elements and attributes that it was
    explicitly told to allow

     * Element and attribute names are case-insensitive (a href vs A HREF)

     * It will understand and process whitespace correctly

     * Attribute values can be surrounded with quotes, apostrophes or nothing

     * It will accept attributes with just names and no values (selected)

     * It will accept XHTML's closing " /" marks

     * Attribute values that are surrounded with nothing will get quotes to
    avoid producing non-W3C conforming HTML (<a
    href=http://sourceforge.net/projects/kses> works but isn't valid HTML)

     * It handles lots of types of malformed HTML, by interpreting the
    existing code the best it can and then rebuilding new code from it. That
    is a better approach than trying to process existing code, as you are
    bound to forget about some weird special case somewhere. It handles
    problems like never-ending quotes and tags gracefully

     * It will remove additional "<" and ">" characters that people may try to
    sneak in somewhere

     * It supports checking attribute values for maximum length and maximum
    value, to protect against Buffer Overflows and Denial of Service attacks
    against WWW clients and various servers. You can stop <iframe src= width=
    height=> from having too high values for width and height, for instance

     * It has got a system for white listing URL protocols. You can say that
    attribute values may only start with http:, https:, ftp: and gopher:, but
    no other URL protocols (javascript:, java:, about:, telnet:..). The
    functions that do this work handle white space, upper/lower case, HTML
    entities ("jav&#97;script:") and repeated entries
    ("javascript:javascript:alert(57)"). It also normalizes HTML entities as a
    nice side effect

     * It removes Netscape 4's JavaScript entities ("&{alert(57)};")

     * It handles NULL bytes. [new in 0.2.0]

    ADDITIONAL INFORMATION

    The tool can be downloaded from: <http://sourceforge.net/projects/kses>
    http://sourceforge.net/projects/kses

    The information has been provided by <mailto:ulfh@Update.UU.SE> Ulf
    Harnhammar.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[EXPL] XBlast Local Root Exploit"

    Relevant Pages