[ANNOUNCE] kses 0.1.0

kses 0.1.0

kses is an HTML filter written in PHP. It removes all unwanted HTML elements and attributes, no matter how malformed HTML input you give it. This is helpful for avoiding Cross-Site Scripting (XSS) security holes, among other things.

Some of kses' current features are:

• It will only allow the HTML elements and attributes that you say are OK.
• Element and attribute names are case-insensitive (a href vs A HREF).
• It will understand and process whitespace correctly.
• Attribute values can be surrounded with quotes, apostrophes or nothing.
• It will accept attributes with just names and no values (selected).
• Attribute values that are surrounded with nothing will get quotes to avoid producing non-W3C conforming HTML (<a href=http://sourceforge.net/projects/kses> works but isn't valid HTML).
• It will remove "javascript:" in attribute values, while ignoring case and whitespace. The removal is done in a loop, so it won't be fooled by something silly like "javajavajavascript:script:script:alert(57)".
• It will remove additional "<" and ">" characters that people may try to sneak in somewhere.
• It handles lots of types of malformed HTML, by interpreting the existing code the best it can and then rebuilding new code from it. That's a better approach than trying to process existing code, as you're bound to forget about some weird special case somewhere.

kses 0.1.0, the first public release, can be downloaded from http://sourceforge.net/projects/kses . If some of the people that usually audit web applications would take a look at kses to try to find security holes in it, it would be appreciated.

// Ulf Harnhammar, London/Stockholm, June 2003

   metaur at users dot sourceforge dot net Received on Fri Jun 13 17:46:12 2003