lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Fri, 13 Jun 2003 12:13:36 +0200
From: Ulf Harnhammar <ulfh@...ate.UU.SE>
To: bugtraq@...urityfocus.com
Cc: webappsec@...urityfocus.com, full-disclosure@...ts.netsys.com
Subject: [ANNOUNCE] kses 0.1.0


kses 0.1.0
==========

kses is an HTML filter written in PHP. It removes all unwanted HTML elements
and attributes, no matter how malformed HTML input you give it. This is
helpful for avoiding Cross-Site Scripting (XSS) security holes, among other
things.

Some of kses' current features are:

* It will only allow the HTML elements and attributes that you say are OK.
* Element and attribute names are case-insensitive (a href vs A HREF).
* It will understand and process whitespace correctly.
* Attribute values can be surrounded with quotes, apostrophes or nothing.
* It will accept attributes with just names and no values (selected).
* Attribute values that are surrounded with nothing will get quotes to avoid
producing non-W3C conforming HTML
(<a href=http://sourceforge.net/projects/kses> works but isn't valid HTML).
* It will remove "javascript:" in attribute values, while ignoring case and
whitespace. The removal is done in a loop, so it won't be fooled by something
silly like "javajavajavascript:script:script:alert(57)".
* It will remove additional "<" and ">" characters that people may try to
sneak in somewhere.
* It handles lots of types of malformed HTML, by interpreting the existing
code the best it can and then rebuilding new code from it. That's a better
approach than trying to process existing code, as you're bound to forget about
some weird special case somewhere.

kses 0.1.0, the first public release, can be downloaded from
http://sourceforge.net/projects/kses . If some of the people that usually
audit web applications would take a look at kses to try to find security holes
in it, it would be appreciated.

// Ulf Harnhammar, London/Stockholm, June 2003
   metaur at users dot sourceforge dot net

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ