[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20030726101706.GA6070@Update.UU.SE>
Date: Sat, 26 Jul 2003 12:17:06 +0200
From: Ulf Harnhammar <ulfh@...ate.UU.SE>
To: bugtraq@...urityfocus.com
Cc: lwn@....net, webappsec@...urityfocus.com, full-disclosure@...ts.netsys.com
Subject: [ANNOUNCE] kses 0.2.0
kses 0.2.0
==========
* INTRODUCTION *
kses is an HTML/XHTML filter written in PHP. It removes all unwanted HTML
elements and attributes, no matter how malformed HTML input you give it. It
also does several checks on attribute values. kses can be used to avoid
Cross-Site Scripting (XSS), Buffer Overflows and Denial of Service attacks,
among other things.
The program is released under the terms of the GNU General Public License. You
should look into what that means, before using kses in your programs.
* FEATURES *
Some of kses' current features are:
* It will only allow the HTML elements and attributes that it was explicitly
told to allow.
* Element and attribute names are case-insensitive (a href vs A HREF).
* It will understand and process whitespace correctly.
* Attribute values can be surrounded with quotes, apostrophes or nothing.
* It will accept attributes with just names and no values (selected).
! It will accept XHTML's closing " /" marks. [new in 0.2.0]
* Attribute values that are surrounded with nothing will get quotes to avoid
producing non-W3C conforming HTML
(<a href=http://sourceforge.net/projects/kses> works but isn't valid HTML).
* It handles lots of types of malformed HTML, by interpreting the existing code
the best it can and then rebuilding new code from it. That's a better approach
than trying to process existing code, as you're bound to forget about some
weird special case somewhere. It handles problems like never-ending quotes and
tags gracefully.
* It will remove additional "<" and ">" characters that people may try to sneak
in somewhere.
! It supports checking attribute values for maximum length and maximum value,
to protect against Buffer Overflows and Denial of Service attacks against WWW
clients and various servers. You can stop <iframe src= width= height=> from
having too high values for width and height, for instance. [new in 0.2.0]
! It has got a system for white listing URL protocols. You can say that
attribute values may only start with http:, https:, ftp: and gopher:, but no
other URL protocols (javascript:, java:, about:, telnet:..). The functions that
do this work handle whitespace, upper/lower case, HTML entities
("javascript:") and repeated entries ("javascript:javascript:alert(57)").
It also normalizes HTML entities as a nice side effect. [new in 0.2.0]
! It removes Netscape 4's JavaScript entities ("&{alert(57)};"). [new in 0.2.0]
! It handles NULL bytes. [new in 0.2.0]
* DOWNLOAD LOCATION AND MAILING LIST *
If you want to download kses or subscribe to its kses-general mailing list, you
should visit its homepage at http://sourceforge.net/projects/kses .
Security audits, bug reports and patches are highly appreciated, so don't
hesitate to get in touch.
// Ulf Harnhammar, London/Stockholm, July 2003
metaur at users dot sourceforge dot net
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists