| 1 | kses ChangeLog |
---|
| 2 | ============== |
---|
| 3 | |
---|
| 4 | * 0.2.1 |
---|
| 5 | |
---|
| 6 | 0.2.1 was released on the 29th of September 2003. |
---|
| 7 | It has the following changes: |
---|
| 8 | |
---|
| 9 | |
---|
| 10 | - There is now an additional version of kses, using the object-oriented |
---|
| 11 | paradigm. Thanks a lot to Richard R. Vasquez, Jr., who created it! Anyone |
---|
| 12 | who wants to make functional programming, logical programming or spaghetti |
---|
| 13 | programming versions of kses as well (or any other programming paradigm that |
---|
| 14 | you like), go ahead! All the people who like old procedural programming for |
---|
| 15 | web applications shouldn't despair, though, as both versions will be |
---|
| 16 | maintained with each release. |
---|
| 17 | |
---|
| 18 | - kses now has some new attribute value checks: minlen, minval and valueless. |
---|
| 19 | See docs/attribute-value-checks for an explanation. |
---|
| 20 | |
---|
| 21 | - For some reason, the Opera developers decided to make chr(173) a whitespace |
---|
| 22 | character in URL protocols, both when it occurs raw and in an entity. kses |
---|
| 23 | now handles this. |
---|
| 24 | |
---|
| 25 | - The URL protocol whitelisting system now decodes entities before removing |
---|
| 26 | NULLs and whitespaces. |
---|
| 27 | |
---|
| 28 | |
---|
| 29 | * 0.2.0 |
---|
| 30 | |
---|
| 31 | 0.2.0 was released on the 25th of July 2003. |
---|
| 32 | It has the following changes: |
---|
| 33 | |
---|
| 34 | |
---|
| 35 | - kses now supports checking of attribute values, and not just element names |
---|
| 36 | and attribute names. The attribute value checks that exist so far are |
---|
| 37 | 'maxlen' (checks how long attribute values are, to avoid Buffer Overflows) |
---|
| 38 | and 'maxval' (checks how big an integer value is, to avoid Denial of Service |
---|
| 39 | attacks). |
---|
| 40 | |
---|
| 41 | Buffer Overflows could both be a problem for WWW clients and different |
---|
| 42 | servers on the Internet that an HTML document links to. One example is |
---|
| 43 | <frame src="ftp://ftp.v1ct1m.com/AAAAAA..thousands_of_A's...">. |
---|
| 44 | |
---|
| 45 | Denial of Service attacks can take the form of too big sizes of iframes or |
---|
| 46 | other things. One example is <iframe src="http://some.web.server/" |
---|
| 47 | width="20000" height="2000">, which makes some client machines completely |
---|
| 48 | overloaded. |
---|
| 49 | |
---|
| 50 | - kses' old feature of removing "javascript:" from attribute values has been |
---|
| 51 | improved. It now has a whole system for white listing of URL protocols, so |
---|
| 52 | you can specify that it's acceptable with http:, https:, ftp: and gopher:, |
---|
| 53 | but no other protocols in attribute values. The system tries pretty hard to |
---|
| 54 | do the right thing with whitespace, upper/lower case, HTML entities |
---|
| 55 | ("javascript:") and repeated entries ("javascript:javascript:alert(57)"). |
---|
| 56 | |
---|
| 57 | - kses now supports both HTML and XHTML code, by allowing " /" at the end of |
---|
| 58 | tags. |
---|
| 59 | |
---|
| 60 | - kses now removes Netscape 4's JavaScript entities, having the form |
---|
| 61 | "&{alert(57)};". They don't even seem to work on all versions of Netscape 4, |
---|
| 62 | but for completeness' sake it seemed like a good feature to add. |
---|
| 63 | |
---|
| 64 | - A bug with NULLs in javascript: URLs was fixed. |
---|
| 65 | (Reported by Simon Cornelius P. Umacob - thanks!) |
---|
| 66 | |
---|
| 67 | - As a nice side effect of the white listing of URL protocols, kses now also |
---|
| 68 | normalizes all HTML entities in documents. It will change HTML code with bad |
---|
| 69 | entities to the right form, for example "AT&T" will be converted to |
---|
| 70 | "AT&T" and "<a href='lyrics.php?band=ladytron&lyrics=playgirl'>" will be |
---|
| 71 | converted to "<a href='lyrics.php?band=ladytron&lyrics=playgirl'>". |
---|
| 72 | ":" will be converted to ":", "&#XYZZY;" will be converted to |
---|
| 73 | "&#XYZZY;", "ä!;" will be converted to "&auml!;" and so on. |
---|
| 74 | |
---|
| 75 | As shown above, it will process HTML entities that it doesn't understand. |
---|
| 76 | It will also deal with too big numbers in numeric HTML entities, which is |
---|
| 77 | helpful as many browsers seem to wrap them around at 2 ** 32, so the |
---|
| 78 | characters 58, 58 + (2 ** 32), 58 + (2 ** 64) etcetera are all colons to the |
---|
| 79 | web browser. |
---|
| 80 | |
---|
| 81 | - You can now use upper case letters in your $allowed_html array, in element |
---|
| 82 | names, attribute names and attribute value check names. Version 0.1.0 |
---|
| 83 | required everything in that array to be in lower case, but that's not |
---|
| 84 | necessary any more. You can also use upper case letters in |
---|
| 85 | $allowed_protocols. |
---|
| 86 | |
---|
| 87 | - The "Really malformed thing" bug from the TODO file was fixed. |
---|
| 88 | It used to convert this string: |
---|
| 89 | x > 5 <a href="blah"> |
---|
| 90 | to: |
---|
| 91 | x > 5 <a href="blah"> |
---|
| 92 | and now it converts it to: |
---|
| 93 | x > 5 <a href="blah"> |
---|
| 94 | |
---|
| 95 | - The "Weird malformed thing" bug from the TODO file was fixed. |
---|
| 96 | It used to convert this string: |
---|
| 97 | <a href="5 href=6> |
---|
| 98 | to: |
---|
| 99 | <a href="6"> |
---|
| 100 | because of the way kses restarts after a parse error in kses_hair(). Now it |
---|
| 101 | converts it to: |
---|
| 102 | <a> |
---|
| 103 | |
---|
| 104 | - A problem with slashes in HTML tags was fixed. |
---|
| 105 | |
---|
| 106 | - examples/filter.php used to use $SCRIPT_NAME, which doesn't work on |
---|
| 107 | Windows. |
---|
| 108 | (Reported by Simon Cornelius P. Umacob - thanks!) |
---|
| 109 | |
---|
| 110 | - kses now allows dashes in attribute names, for things like |
---|
| 111 | <meta http-equiv=..>. |
---|
| 112 | |
---|
| 113 | |
---|
| 114 | * 0.1.0, first public version |
---|
| 115 | |
---|
| 116 | 0.1.0 was released on the 9th of June 2003. |
---|
| 117 | It was announced on three security related mailing lists on Friday the 13th |
---|
| 118 | of June (nothing bad happened to it though). |
---|