[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20030613101336.GA9100@Update.UU.SE>
Date: Fri, 13 Jun 2003 12:13:36 +0200
From: Ulf Harnhammar <ulfh@...ate.UU.SE>
To: bugtraq@...urityfocus.com
Cc: webappsec@...urityfocus.com, full-disclosure@...ts.netsys.com
Subject: [ANNOUNCE] kses 0.1.0
kses 0.1.0
==========
kses is an HTML filter written in PHP. It removes all unwanted HTML elements
and attributes, no matter how malformed HTML input you give it. This is
helpful for avoiding Cross-Site Scripting (XSS) security holes, among other
things.
Some of kses' current features are:
* It will only allow the HTML elements and attributes that you say are OK.
* Element and attribute names are case-insensitive (a href vs A HREF).
* It will understand and process whitespace correctly.
* Attribute values can be surrounded with quotes, apostrophes or nothing.
* It will accept attributes with just names and no values (selected).
* Attribute values that are surrounded with nothing will get quotes to avoid
producing non-W3C conforming HTML
(<a href=http://sourceforge.net/projects/kses> works but isn't valid HTML).
* It will remove "javascript:" in attribute values, while ignoring case and
whitespace. The removal is done in a loop, so it won't be fooled by something
silly like "javajavajavascript:script:script:alert(57)".
* It will remove additional "<" and ">" characters that people may try to
sneak in somewhere.
* It handles lots of types of malformed HTML, by interpreting the existing
code the best it can and then rebuilding new code from it. That's a better
approach than trying to process existing code, as you're bound to forget about
some weird special case somewhere.
kses 0.1.0, the first public release, can be downloaded from
http://sourceforge.net/projects/kses . If some of the people that usually
audit web applications would take a look at kses to try to find security holes
in it, it would be appreciated.
// Ulf Harnhammar, London/Stockholm, June 2003
metaur at users dot sourceforge dot net
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists