[Sommaire] [Imprimer]

   1  kses ChangeLog
   2  ==============
   3  
   4  * 0.2.1
   5  
   6  0.2.1 was released on the 29th of September 2003.
   7  It has the following changes:
   8  
   9  
  10  - There is now an additional version of kses, using the object-oriented
  11    paradigm. Thanks a lot to Richard R. Vasquez, Jr., who created it! Anyone
  12    who wants to make functional programming, logical programming or spaghetti
  13    programming versions of kses as well (or any other programming paradigm that
  14    you like), go ahead! All the people who like old procedural programming for
  15    web applications shouldn't despair, though, as both versions will be
  16    maintained with each release.
  17  
  18  - kses now has some new attribute value checks: minlen, minval and valueless.
  19    See docs/attribute-value-checks for an explanation.
  20  
  21  - For some reason, the Opera developers decided to make chr(173) a whitespace
  22    character in URL protocols, both when it occurs raw and in an entity. kses
  23    now handles this.
  24  
  25  - The URL protocol whitelisting system now decodes entities before removing
  26    NULLs and whitespaces.
  27  
  28  
  29  * 0.2.0
  30  
  31  0.2.0 was released on the 25th of July 2003.
  32  It has the following changes:
  33  
  34  
  35  - kses now supports checking of attribute values, and not just element names
  36    and attribute names. The attribute value checks that exist so far are
  37    'maxlen' (checks how long attribute values are, to avoid Buffer Overflows)
  38    and 'maxval' (checks how big an integer value is, to avoid Denial of Service
  39    attacks).
  40  
  41    Buffer Overflows could both be a problem for WWW clients and different
  42    servers on the Internet that an HTML document links to. One example is
  43    <frame src="ftp://ftp.v1ct1m.com/AAAAAA..thousands_of_A's...">.
  44  
  45    Denial of Service attacks can take the form of too big sizes of iframes or
  46    other things. One example is <iframe src="http://some.web.server/"
  47    width="20000" height="2000">, which makes some client machines completely
  48    overloaded.
  49  
  50  - kses' old feature of removing "javascript:" from attribute values has been
  51    improved. It now has a whole system for white listing of URL protocols, so
  52    you can specify that it's acceptable with http:, https:, ftp: and gopher:,
  53    but no other protocols in attribute values. The system tries pretty hard to
  54    do the right thing with whitespace, upper/lower case, HTML entities
  55    ("jav&#97;script:") and repeated entries ("javascript:javascript:alert(57)").
  56  
  57  - kses now supports both HTML and XHTML code, by allowing " /" at the end of
  58    tags.
  59  
  60  - kses now removes Netscape 4's JavaScript entities, having the form
  61    "&{alert(57)};". They don't even seem to work on all versions of Netscape 4,
  62    but for completeness' sake it seemed like a good feature to add.
  63  
  64  - A bug with NULLs in javascript: URLs was fixed.
  65    (Reported by Simon Cornelius P. Umacob - thanks!)
  66  
  67  - As a nice side effect of the white listing of URL protocols, kses now also
  68    normalizes all HTML entities in documents. It will change HTML code with bad
  69    entities to the right form, for example "AT&T" will be converted to
  70    "AT&amp;T" and "<a href='lyrics.php?band=ladytron&lyrics=playgirl'>" will be
  71    converted to "<a href='lyrics.php?band=ladytron&amp;lyrics=playgirl'>".
  72    "&#000058;" will be converted to "&#58;", "&#XYZZY;" will be converted to
  73    "&amp;#XYZZY;", "&auml!;" will be converted to "&amp;auml!;" and so on.
  74  
  75    As shown above, it will process HTML entities that it doesn't understand.
  76    It will also deal with too big numbers in numeric HTML entities, which is
  77    helpful as many browsers seem to wrap them around at 2 ** 32, so the
  78    characters 58, 58 + (2 ** 32), 58 + (2 ** 64) etcetera are all colons to the
  79    web browser.
  80  
  81  - You can now use upper case letters in your $allowed_html array, in element
  82    names, attribute names and attribute value check names. Version 0.1.0
  83    required everything in that array to be in lower case, but that's not
  84    necessary any more. You can also use upper case letters in
  85    $allowed_protocols.
  86  
  87  - The "Really malformed thing" bug from the TODO file was fixed.
  88    It used to convert this string:
  89    x > 5 <a href="blah">
  90    to:
  91    x &gt; 5 &lt;a href=&quot;blah&quot;&gt;
  92    and now it converts it to:
  93    x &gt; 5 <a href="blah">
  94  
  95  - The "Weird malformed thing" bug from the TODO file was fixed.
  96    It used to convert this string:
  97    <a href="5 href=6>
  98    to:
  99    <a href="6">
 100    because of the way kses restarts after a parse error in kses_hair(). Now it
 101    converts it to:
 102    <a>
 103  
 104  - A problem with slashes in HTML tags was fixed.
 105  
 106  - examples/filter.php used to use $SCRIPT_NAME, which doesn't work on
 107    Windows.
 108    (Reported by Simon Cornelius P. Umacob - thanks!)
 109  
 110  - kses now allows dashes in attribute names, for things like
 111    <meta http-equiv=..>.
 112  
 113  
 114  * 0.1.0, first public version
 115  
 116  0.1.0 was released on the 9th of June 2003.
 117  It was announced on three security related mailing lists on Friday the 13th
 118  of June (nothing bad happened to it though).