[wp-hackers] HTML Purifier

Edward Z. Yang edwardzyang at thewritingpot.com
Tue Feb 13 21:55:45 GMT 2007


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Matt Mullenweg wrote:
> Andy Skelton wrote:
>> I would love to replace KSES.
> 
> Why? We've never found a single vulnerability in the code, which is
> several years old.

Kses is fairly resilient against XSS attacks, I'll give it that. It
doesn't understand the HTML spec though, so that always keeps it open to
attacks in the future.

In terms of standards-compliance, kses doesn't come even close.
Besides the bare minimum needed to prevent XSS, kses performs no
attribute validation (<col span="foobar"> is legal), no inline CSS
validation (WordPress does not allow inline CSS in its attribute set),
and no nesting validation (<td>asdf</td> is legal even outside of tables).

Kses won't check if tags are balanced: WordPress had to implement custom
code to overcome this problem. Kses does not properly escape quotes
outside of tags, so it's totally unusable for XML (WordPress strips tags
and then htmlentity-izes for that use).

I think these are all very compelling reasons to drop that ancient piece
of code.

- --
 Edward Z. Yang      Personal: edwardzyang at thewritingpot.com
 SN:Ambush Commander Website: http://www.thewritingpot.com/
 GPGKey:0x869C48DA   http://www.thewritingpot.com/gpgpubkey.asc
 3FA8 E9A9 7385 B691 A6FC B3CB A933 BE7D 869C 48DA

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFF0jPhqTO+fYacSNoRAoenAJ4s5gtfxZiz2qvNhnKem8HeVqpLfgCgiL34
b/BjtvDmyiJ2AUUAgyx2LvM=
=1+po
-----END PGP SIGNATURE-----


More information about the wp-hackers mailing list