Opened 17 years ago
Closed 14 years ago
#4755 closed enhancement (wontfix)
WordPress should use code from the modified kses at Sourceforge.net
Reported by: | alpha2zee | Owned by: | ryan |
---|---|---|---|
Milestone: | Priority: | low | |
Severity: | minor | Version: | |
Component: | Security | Keywords: | close |
Focuses: | Cc: |
Description
A modified and better version of the kses HTML filter has been developed by Labware for their next LabWiki release. It is currently available at Sourceforge.
Wordpress should think of using its code -- the kses.php it uses still has some bugs that can be thus fixed. Also, there are new features in the modified version, and its use is compatible with the current kses() calls.
Bug-fixes (compared to oirignal kses 0.2.2):
- Lone < characters are taken care of
- Takes care of single-tag elements like img and br that do not have a space before their closing tag (e.g., <hr/>)
- Output is more XHTML standard-compliant. E.g., attributes are declared only once, tags and attributes are lowercased, check for named XHTML entities, etc.
Extra features
- Inline styling is now possible. Earlier, CSS properties like background-color: yellow were removed because of the so-called 'colon bug.'
- Option to balance tags for well-formedness of (X)HTML
- Option to 'entitify' unallowed tags instead of removing them. Currently, kses always strips them.
- Option for unique ID attribute values, with option to remove or with a chosen prefix
- Option to allow HTML comments and CDATA sections.
The download has some test-results.
(The upcoming release makes it easier to specify allowed tags (string instead of multi-dimensional array), specify element and attribute specific protocols and class properties, etc.)
Change History (10)
#2
@
17 years ago
In particular, I like the sound of the "Option to balance tags for well-formedness of (X)HTML".
#3
@
17 years ago
I'd be comfortable with this, but only if it's reviewed by someone with a lot of HTML security experience. KSES has had bugs, but never anything that caused us a security problem, I'm hesitant to rock that boat without lots of review.
#4
@
17 years ago
It should also be compared to our existing functions like balancetags, too see if we can reduce any code.
#5
@
17 years ago
This kses mod has evolved into htmLawed.
- highly and easily customizable
- ~45 kb single-file, non-OOP code with peak basal memory usage of ~0.5 MB
- improved tag balancing, entity checks and conversions
- remains kses-compatible
- NEW: transformation of deprecated tags/attributes
- NEW: anti-email/link spam measures
- NEW: absolute/relative URL conversions
- NEW: filtering/conversion of bad characters introduced by Microsoft Word, etc.
- etc... see htmLawed documentation
A testing script is in the download; htmLawed can also be tried online.
#7
@
16 years ago
- Component changed from Optimization to Security
- Keywords needs-patch added
- Owner changed from anonymous to ryan
#8
@
16 years ago
- Milestone changed from 2.9 to Future Release
- Priority changed from normal to low
- Severity changed from normal to minor
there is a better option than kses nowadays: HTML Purifier.
alpha2zee, this looks good. Thanks for both submitting it upstream and sharing it w/ us.