SecurityFocus BUGTRAQ Mailing List: BugTraqLink Number One Link Number One Link Number Two Link Number Two Link Number One Link Number One Link Number Two Link Number Two Entire Site Advisories Calendar Columnists Elsewhere Guest Feature Infocus Library Links Mailing Lists (all) -- BUGTRAQ -- FOCUS-IDS -- FOCUS-IH -- FOCUS-LINUX -- FOCUS-MS -- FOCUS-SUN -- FOCUS-VIRUS -- FORENSICS -- INCIDENTS -- PEN-TEST -- SEC JOBS -- SF NEWS -- VULN-DEV News Products Services Tools Vulns BUGTRAQ ARCHIVE [ Message Index ] [ Thread Index ][ Reply ] [ prev Msg by Date ][ next Msg by Date ] To: BugTraq Subject: [ANNOUNCE] kses 0.2.1 Date: Sep 29 2003 8:08PM Author: Härnhammar, Ulf Message-ID: <1064866139.3f78915b6b19f@webmail.student.uu.se> kses 0.2.1 ========== kses is an HTML/XHTML filter written in PHP. It removes all unwanted HTML elements and attributes, no matter how malformed HTML input you give it. It also does several checks on attribute values. kses can be used to avoid Cross-Site Scripting (XSS), Buffer Overflows and Denial of Service attacks, among other things. The program is released under the terms of the GNU General Public License. You should look into what that means, before using kses in your programs. * FEATURES * Some of kses' current features are: * It will only allow the HTML elements and attributes that it was explicitly told to allow. * Element and attribute names are case-insensitive (a href vs A HREF). * It will understand and process whitespace correctly. * Attribute values can be surrounded with quotes, apostrophes or nothing. * It will accept valueless attributes with just names and no values (selected). * It will accept XHTML's closing " /" marks. * Attribute values that are surrounded with nothing will get quotes to avoid producing non-W3C conforming HTML ( works but isn't valid HTML). * It handles lots of types of malformed HTML, by interpreting the existing code the best it can and then rebuilding new code from it. That's a better approach than trying to process existing code, as you're bound to forget about some weird special case somewhere. It handles problems like never-ending quotes and tags gracefully. * It will remove additional "<" and ">" characters that people may try to sneak in somewhere. * It supports checking attribute values for minimum/maximum length and minimum/maximum value, to protect against Buffer Overflows and Denial of Service attacks against WWW clients and various servers. You can stop