1 | kses ChangeLog |
---|
2 | ============== |
---|
3 | |
---|
4 | * 0.2.1 |
---|
5 | |
---|
6 | 0.2.1 was released on the 29th of September 2003. |
---|
7 | It has the following changes: |
---|
8 | |
---|
9 | |
---|
10 | - There is now an additional version of kses, using the object-oriented |
---|
11 | paradigm. Thanks a lot to Richard R. Vasquez, Jr., who created it! Anyone |
---|
12 | who wants to make functional programming, logical programming or spaghetti |
---|
13 | programming versions of kses as well (or any other programming paradigm that |
---|
14 | you like), go ahead! All the people who like old procedural programming for |
---|
15 | web applications shouldn't despair, though, as both versions will be |
---|
16 | maintained with each release. |
---|
17 | |
---|
18 | - kses now has some new attribute value checks: minlen, minval and valueless. |
---|
19 | See docs/attribute-value-checks for an explanation. |
---|
20 | |
---|
21 | - For some reason, the Opera developers decided to make chr(173) a whitespace |
---|
22 | character in URL protocols, both when it occurs raw and in an entity. kses |
---|
23 | now handles this. |
---|
24 | |
---|
25 | - The URL protocol whitelisting system now decodes entities before removing |
---|
26 | NULLs and whitespaces. |
---|
27 | |
---|
28 | |
---|
29 | * 0.2.0 |
---|
30 | |
---|
31 | 0.2.0 was released on the 25th of July 2003. |
---|
32 | It has the following changes: |
---|
33 | |
---|
34 | |
---|
35 | - kses now supports checking of attribute values, and not just element names |
---|
36 | and attribute names. The attribute value checks that exist so far are |
---|
37 | 'maxlen' (checks how long attribute values are, to avoid Buffer Overflows) |
---|
38 | and 'maxval' (checks how big an integer value is, to avoid Denial of Service |
---|
39 | attacks). |
---|
40 | |
---|
41 | Buffer Overflows could both be a problem for WWW clients and different |
---|
42 | servers on the Internet that an HTML document links to. One example is |
---|
43 | <frame src="ftp://ftp.v1ct1m.com/AAAAAA..thousands_of_A's...">. |
---|
44 | |
---|
45 | Denial of Service attacks can take the form of too big sizes of iframes or |
---|
46 | other things. One example is <iframe src="http://some.web.server/" |
---|
47 | width="20000" height="2000">, which makes some client machines completely |
---|
48 | overloaded. |
---|
49 | |
---|
50 | - kses' old feature of removing "javascript:" from attribute values has been |
---|
51 | improved. It now has a whole system for white listing of URL protocols, so |
---|
52 | you can specify that it's acceptable with http:, https:, ftp: and gopher:, |
---|
53 | but no other protocols in attribute values. The system tries pretty hard to |
---|
54 | do the right thing with whitespace, upper/lower case, HTML entities |
---|
55 | ("javascript:") and repeated entries ("javascript:javascript:alert(57)"). |
---|
56 | |
---|
57 | - kses now supports both HTML and XHTML code, by allowing " /" at the end of |
---|
58 | tags. |
---|
59 | |
---|
60 | - kses now removes Netscape 4's JavaScript entities, having the form |
---|
61 | "&{alert(57)};". They don't even seem to work on all versions of Netscape 4, |
---|
62 | but for completeness' sake it seemed like a good feature to add. |
---|
63 | |
---|
64 | - A bug with NULLs in javascript: URLs was fixed. |
---|
65 | (Reported by Simon Cornelius P. Umacob - thanks!) |
---|
66 | |
---|
67 | - As a nice side effect of the white listing of URL protocols, kses now also |
---|
68 | normalizes all HTML entities in documents. It will change HTML code with bad |
---|
69 | entities to the right form, for example "AT&T" will be converted to |
---|
70 | "AT&T" and "<a href='lyrics.php?band=ladytron&lyrics=playgirl'>" will be |
---|
71 | converted to "<a href='lyrics.php?band=ladytron&lyrics=playgirl'>". |
---|
72 | ":" will be converted to ":", "&#XYZZY;" will be converted to |
---|
73 | "&#XYZZY;", "ä!;" will be converted to "&auml!;" and so on. |
---|
74 | |
---|
75 | As shown above, it will process HTML entities that it doesn't understand. |
---|
76 | It will also deal with too big numbers in numeric HTML entities, which is |
---|
77 | helpful as many browsers seem to wrap them around at 2 ** 32, so the |
---|
78 | characters 58, 58 + (2 ** 32), 58 + (2 ** 64) etcetera are all colons to the |
---|
79 | web browser. |
---|
80 | |
---|
81 | - You can now use upper case letters in your $allowed_html array, in element |
---|
82 | names, attribute names and attribute value check names. Version 0.1.0 |
---|
83 | required everything in that array to be in lower case, but that's not |
---|
84 | necessary any more. You can also use upper case letters in |
---|
85 | $allowed_protocols. |
---|
86 | |
---|
87 | - The "Really malformed thing" bug from the TODO file was fixed. |
---|
88 | It used to convert this string: |
---|
89 | x > 5 <a href="blah"> |
---|
90 | to: |
---|
91 | x > 5 <a href="blah"> |
---|
92 | and now it converts it to: |
---|
93 | x > 5 <a href="blah"> |
---|
94 | |
---|
95 | - The "Weird malformed thing" bug from the TODO file was fixed. |
---|
96 | It used to convert this string: |
---|
97 | <a href="5 href=6> |
---|
98 | to: |
---|
99 | <a href="6"> |
---|
100 | because of the way kses restarts after a parse error in kses_hair(). Now it |
---|
101 | converts it to: |
---|
102 | <a> |
---|
103 | |
---|
104 | - A problem with slashes in HTML tags was fixed. |
---|
105 | |
---|
106 | - examples/filter.php used to use $SCRIPT_NAME, which doesn't work on |
---|
107 | Windows. |
---|
108 | (Reported by Simon Cornelius P. Umacob - thanks!) |
---|
109 | |
---|
110 | - kses now allows dashes in attribute names, for things like |
---|
111 | <meta http-equiv=..>. |
---|
112 | |
---|
113 | |
---|
114 | * 0.1.0, first public version |
---|
115 | |
---|
116 | 0.1.0 was released on the 9th of June 2003. |
---|
117 | It was announced on three security related mailing lists on Friday the 13th |
---|
118 | of June (nothing bad happened to it though). |
---|