[wp-hackers] HTML Purifier
Edward Z. Yang
edwardzyang at thewritingpot.com
Tue Feb 13 21:55:45 GMT 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Matt Mullenweg wrote:
> Andy Skelton wrote:
>> I would love to replace KSES.
>
> Why? We've never found a single vulnerability in the code, which is
> several years old.
Kses is fairly resilient against XSS attacks, I'll give it that. It
doesn't understand the HTML spec though, so that always keeps it open to
attacks in the future.
In terms of standards-compliance, kses doesn't come even close.
Besides the bare minimum needed to prevent XSS, kses performs no
attribute validation (<col span="foobar"> is legal), no inline CSS
validation (WordPress does not allow inline CSS in its attribute set),
and no nesting validation (<td>asdf</td> is legal even outside of tables).
Kses won't check if tags are balanced: WordPress had to implement custom
code to overcome this problem. Kses does not properly escape quotes
outside of tags, so it's totally unusable for XML (WordPress strips tags
and then htmlentity-izes for that use).
I think these are all very compelling reasons to drop that ancient piece
of code.
- --
Edward Z. Yang Personal: edwardzyang at thewritingpot.com
SN:Ambush Commander Website: http://www.thewritingpot.com/
GPGKey:0x869C48DA http://www.thewritingpot.com/gpgpubkey.asc
3FA8 E9A9 7385 B691 A6FC B3CB A933 BE7D 869C 48DA
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFF0jPhqTO+fYacSNoRAoenAJ4s5gtfxZiz2qvNhnKem8HeVqpLfgCgiL34
b/BjtvDmyiJ2AUUAgyx2LvM=
=1+po
-----END PGP SIGNATURE-----
More information about the wp-hackers
mailing list