linux, säkerhet

104685 2003-06-13  21:28  /37 rader/ Ulf Harnhammar <ulfh@update.uu.se>
Importerad: 2003-06-13  21:28  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <5213>
Ärende: [ANNOUNCE] kses 0.1.0
------------------------------------------------------------
kses 0.1.0
==========

kses is an HTML filter written in PHP. It removes all unwanted HTML
elements and attributes, no matter how malformed HTML input you give
it. This is helpful for avoiding Cross-Site Scripting (XSS) security
holes, among other things.

Some of kses' current features are:

* It will only allow the HTML elements and attributes that you say
* are OK.  Element and attribute names are case-insensitive (a href
* vs A HREF).  It will understand and process whitespace correctly.
* Attribute values can be surrounded with quotes, apostrophes or
* nothing.  It will accept attributes with just names and no values
* (selected).  Attribute values that are surrounded with nothing will
* get quotes to avoid producing non-W3C conforming HTML (<a
* href=http://sourceforge.net/projects/kses> works but isn't valid
* HTML).  It will remove "javascript:" in attribute values, while
* ignoring case and whitespace. The removal is done in a loop, so it
* won't be fooled by something silly like
* "javajavajavascript:script:script:alert(57)".  It will remove
* additional "<" and ">" characters that people may try to sneak in
* somewhere.  It handles lots of types of malformed HTML, by
* interpreting the existing code the best it can and then rebuilding
* new code from it. That's a better approach than trying to process
* existing code, as you're bound to forget about some weird special
* case somewhere.

kses 0.1.0, the first public release, can be downloaded from
http://sourceforge.net/projects/kses . If some of the people that
usually audit web applications would take a look at kses to try to
find security holes in it, it would be appreciated.

// Ulf Harnhammar, London/Stockholm, June 2003
   metaur at users dot sourceforge dot net
(104685) /Ulf Harnhammar <ulfh@update.uu.se>/(Ombruten)