kses attribute value checks =========================== As you've probably already read in the README file, an $allowed_html array normally looks like this: $allowed = array('b' => array(), 'i' => array(), 'a' => array('href' => 1, 'title' => 1), 'p' => array('align' => 1), 'br' => array()); This sets what elements and attributes are allowed. From kses 0.2.0, you can also perform some checks on the attribute values. You do it like this: $allowed = array('b' => array(), 'i' => array(), 'a' => array('href' => array('maxlen' => 100), 'title' => 1), 'p' => array('align' => 1), 'font' => array('size' => array('maxval' => 20)), 'br' => array()); This means that kses should perform the maxlen check with the value 100 on the value, as well as the maxval check with the value 20 on the value. The currently implemented checks (with more to come) are 'maxlen', 'maxval', 'minlen', 'minval' and 'valueless'. 'maxlen' checks that the length of the attribute value is not greater than the given value. It is helpful against Buffer Overflows in WWW clients and various servers on the Internet. In my example above, it would mean that "" wouldn't be accepted. Of course, this problem is even worse if you put that long URL in a tag instead, so the WWW client will fetch it automatically without a user having to click it. 'maxval' checks that the attribute value is an integer greater than or equal to zero, that it doesn't have an unreasonable amount of zeroes or whitespace (to avoid Buffer Overflows), and that it is not greater than the given value. In my example above, it would mean that "" is accepted but "" is not. This check helps against Denial of Service attacks against WWW clients. One example of this DoS problem is