Actualización
This commit is contained in:
168
main/inc/lib/kses-0.2.2/ChangeLog
Normal file
168
main/inc/lib/kses-0.2.2/ChangeLog
Normal file
@@ -0,0 +1,168 @@
|
||||
kses ChangeLog
|
||||
==============
|
||||
|
||||
* 0.2.2 and 0.2.2-rc1
|
||||
|
||||
0.2.2 was released on the 7th of February 2005. We also had a release
|
||||
candidate, 0.2.2-rc1, that was released on the 30th of January 2005.
|
||||
|
||||
I (Ulf) am sorry for this long delay, but I lost interest in kses for a
|
||||
while and worked on auditing C/C++ code for buffer overflows and format
|
||||
string bugs in the Debian Security Audit Project instead
|
||||
( http://www.debian.org/security/audit/ ).
|
||||
|
||||
This version has the following changes:
|
||||
|
||||
- Richard contributed an additional object-oriented kses version for
|
||||
PHP 5, which takes advantage of that PHP version's improved object
|
||||
orientation. You can find it in the oop/ directory.
|
||||
|
||||
- Richard added RemoveProtocol(), RemoveProtocols() and SetProtocols()
|
||||
methods to both object-oriented kses versions. This closes SourceForge
|
||||
bug #892477.
|
||||
|
||||
- Richard also did other smaller changes to the object-oriented kses
|
||||
versions. See oop/oop.kses.changelog.txt for the gory details.
|
||||
|
||||
- The code that checks whether used elements and attributes are allowed
|
||||
now uses isset() to avoid notices under certain configurations. This
|
||||
hopefully closes SourceForge bug #918493.
|
||||
|
||||
- The check for the Opera extra whitespace character #173 was moved so
|
||||
it only affects attribute values and nothing else. This is helpful for
|
||||
Asian kses users, who use that character in writing. (This is just a
|
||||
temporary solution. A better one will show up in the next version, when
|
||||
the parser is rewritten.) This closes SourceForge bug #834645, kind of.
|
||||
|
||||
- Now the program will not even look at attributes and closing XHTML
|
||||
slashes for closing HTML elements. This will make kses execute faster
|
||||
and it won't accept atrocities like </br /> anymore.
|
||||
|
||||
- Moved references in examples/test.php from function calls to the function
|
||||
definition, making it better PHP.
|
||||
|
||||
- The output of examples/test.php and examples/filter.php now conform fully
|
||||
to W3C's HTML specification.
|
||||
|
||||
- From now on, kses releases will be distributed both as .tar.gz and .zip
|
||||
archives to please our Wintendo users. This closes SourceForge feature
|
||||
request #900380.
|
||||
|
||||
- Changed to new copyright year and paper mail address.
|
||||
|
||||
|
||||
* 0.2.1
|
||||
|
||||
0.2.1 was released on the 29th of September 2003.
|
||||
It has the following changes:
|
||||
|
||||
|
||||
- There is now an additional version of kses, using the object-oriented
|
||||
paradigm. Thanks a lot to Richard R. Vasquez, Jr., who created it! Anyone
|
||||
who wants to make functional programming, logical programming or spaghetti
|
||||
programming versions of kses as well (or any other programming paradigm that
|
||||
you like), go ahead! All the people who like old procedural programming for
|
||||
web applications shouldn't despair, though, as both versions will be
|
||||
maintained with each release.
|
||||
|
||||
- kses now has some new attribute value checks: minlen, minval and valueless.
|
||||
See docs/attribute-value-checks for an explanation.
|
||||
|
||||
- For some reason, the Opera developers decided to make chr(173) a whitespace
|
||||
character in URL protocols, both when it occurs raw and in an entity. kses
|
||||
now handles this.
|
||||
|
||||
- The URL protocol whitelisting system now decodes entities before removing
|
||||
NULLs and whitespaces.
|
||||
|
||||
|
||||
* 0.2.0
|
||||
|
||||
0.2.0 was released on the 25th of July 2003.
|
||||
It has the following changes:
|
||||
|
||||
|
||||
- kses now supports checking of attribute values, and not just element names
|
||||
and attribute names. The attribute value checks that exist so far are
|
||||
'maxlen' (checks how long attribute values are, to avoid Buffer Overflows)
|
||||
and 'maxval' (checks how big an integer value is, to avoid Denial of Service
|
||||
attacks).
|
||||
|
||||
Buffer Overflows could both be a problem for WWW clients and different
|
||||
servers on the Internet that an HTML document links to. One example is
|
||||
<frame src="ftp://ftp.v1ct1m.com/AAAAAA..thousands_of_A's...">.
|
||||
|
||||
Denial of Service attacks can take the form of too big sizes of iframes or
|
||||
other things. One example is <iframe src="http://some.web.server/"
|
||||
width="20000" height="2000">, which makes some client machines completely
|
||||
overloaded.
|
||||
|
||||
- kses' old feature of removing "javascript:" from attribute values has been
|
||||
improved. It now has a whole system for white listing of URL protocols, so
|
||||
you can specify that it's acceptable with http:, https:, ftp: and gopher:,
|
||||
but no other protocols in attribute values. The system tries pretty hard to
|
||||
do the right thing with whitespace, upper/lower case, HTML entities
|
||||
("javascript:") and repeated entries ("javascript:javascript:alert(57)").
|
||||
|
||||
- kses now supports both HTML and XHTML code, by allowing " /" at the end of
|
||||
tags.
|
||||
|
||||
- kses now removes Netscape 4's JavaScript entities, having the form
|
||||
"&{alert(57)};". They don't even seem to work on all versions of Netscape 4,
|
||||
but for completeness' sake it seemed like a good feature to add.
|
||||
|
||||
- A bug with NULLs in javascript: URLs was fixed.
|
||||
(Reported by Simon Cornelius P. Umacob - thanks!)
|
||||
|
||||
- As a nice side effect of the white listing of URL protocols, kses now also
|
||||
normalizes all HTML entities in documents. It will change HTML code with bad
|
||||
entities to the right form, for example "AT&T" will be converted to
|
||||
"AT&T" and "<a href='lyrics.php?band=ladytron&lyrics=playgirl'>" will be
|
||||
converted to "<a href='lyrics.php?band=ladytron&lyrics=playgirl'>".
|
||||
":" will be converted to ":", "&#XYZZY;" will be converted to
|
||||
"&#XYZZY;", "ä!;" will be converted to "&auml!;" and so on.
|
||||
|
||||
As shown above, it will process HTML entities that it doesn't understand.
|
||||
It will also deal with too big numbers in numeric HTML entities, which is
|
||||
helpful as many browsers seem to wrap them around at 2 ** 32, so the
|
||||
characters 58, 58 + (2 ** 32), 58 + (2 ** 64) etcetera are all colons to the
|
||||
web browser.
|
||||
|
||||
- You can now use upper case letters in your $allowed_html array, in element
|
||||
names, attribute names and attribute value check names. Version 0.1.0
|
||||
required everything in that array to be in lower case, but that's not
|
||||
necessary any more. You can also use upper case letters in
|
||||
$allowed_protocols.
|
||||
|
||||
- The "Really malformed thing" bug from the TODO file was fixed.
|
||||
It used to convert this string:
|
||||
x > 5 <a href="blah">
|
||||
to:
|
||||
x > 5 <a href="blah">
|
||||
and now it converts it to:
|
||||
x > 5 <a href="blah">
|
||||
|
||||
- The "Weird malformed thing" bug from the TODO file was fixed.
|
||||
It used to convert this string:
|
||||
<a href="5 href=6>
|
||||
to:
|
||||
<a href="6">
|
||||
because of the way kses restarts after a parse error in kses_hair(). Now it
|
||||
converts it to:
|
||||
<a>
|
||||
|
||||
- A problem with slashes in HTML tags was fixed.
|
||||
|
||||
- examples/filter.php used to use $SCRIPT_NAME, which doesn't work on
|
||||
Windows.
|
||||
(Reported by Simon Cornelius P. Umacob - thanks!)
|
||||
|
||||
- kses now allows dashes in attribute names, for things like
|
||||
<meta http-equiv=..>.
|
||||
|
||||
|
||||
* 0.1.0, first public version
|
||||
|
||||
0.1.0 was released on the 9th of June 2003.
|
||||
It was announced on three security related mailing lists on Friday the 13th
|
||||
of June (nothing bad happened to it though).
|
||||
Reference in New Issue
Block a user