[TOOL] kses, PHP Based HTML Filter

• Previous message: SecuriTeam: "[NT] Windows NT 4.0 with IBM JVM Denial of Service"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 28 Jul 2003 14:33:11 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  kses, PHP Based HTML Filter
------------------------------------------------------------------------

DETAILS

kses is an HTML/XHTML filter written in PHP. It removes all unwanted HTML
elements and attributes, no matter how malformed HTML input you give it.
It also does several checks on attribute values. kses can be used to avoid
Cross-Site Scripting (XSS), Buffer Overflows and Denial of Service
attacks, among other things.

Some of kses' current features are:
 * It will only allow the HTML elements and attributes that it was
explicitly told to allow

 * Element and attribute names are case-insensitive (a href vs A HREF)

 * It will understand and process whitespace correctly

 * Attribute values can be surrounded with quotes, apostrophes or nothing

 * It will accept attributes with just names and no values (selected)

 * It will accept XHTML's closing " /" marks

 * Attribute values that are surrounded with nothing will get quotes to
avoid producing non-W3C conforming HTML (<a
href=http://sourceforge.net/projects/kses> works but isn't valid HTML)

 * It handles lots of types of malformed HTML, by interpreting the
existing code the best it can and then rebuilding new code from it. That
is a better approach than trying to process existing code, as you are
bound to forget about some weird special case somewhere. It handles
problems like never-ending quotes and tags gracefully

 * It will remove additional "<" and ">" characters that people may try to
sneak in somewhere

 * It supports checking attribute values for maximum length and maximum
value, to protect against Buffer Overflows and Denial of Service attacks
against WWW clients and various servers. You can stop <iframe src= width=
height=> from having too high values for width and height, for instance

 * It has got a system for white listing URL protocols. You can say that
attribute values may only start with http:, https:, ftp: and gopher:, but
no other URL protocols (javascript:, java:, about:, telnet:..). The
functions that do this work handle white space, upper/lower case, HTML
entities ("jav&#97;script:") and repeated entries
("javascript:javascript:alert(57)"). It also normalizes HTML entities as a
nice side effect

 * It removes Netscape 4's JavaScript entities ("&{alert(57)};")

 * It handles NULL bytes. [new in 0.2.0]

ADDITIONAL INFORMATION

The tool can be downloaded from: <http://sourceforge.net/projects/kses>
http://sourceforge.net/projects/kses

The information has been provided by <mailto:ulfh@Update.UU.SE> Ulf
Harnhammar.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[NT] Windows NT 4.0 with IBM JVM Denial of Service"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]