Yannick Warnier 3ffacb4a92 Backing out Cesar's mistaken push 13 年 前
..
docs 40cb9dc3fa prevent the listing of several directories 15 年 前
examples 40cb9dc3fa prevent the listing of several directories 15 年 前
oop e7599354f6 merge 15 年 前
AUTHORS 47022680ce Accept gzopen64() too as a test of the zlib extension load 15 年 前
COPYING 47022680ce Accept gzopen64() too as a test of the zlib extension load 15 年 前
ChangeLog 47022680ce Accept gzopen64() too as a test of the zlib extension load 15 年 前
README 47022680ce Accept gzopen64() too as a test of the zlib extension load 15 年 前
TODO 47022680ce Accept gzopen64() too as a test of the zlib extension load 15 年 前
index.html 40cb9dc3fa prevent the listing of several directories 15 年 前
kses.php 8c7cfffa73 Task #2969 - Adding a comment. 14 年 前
kses_original.php 3ffacb4a92 Backing out Cesar's mistaken push 13 年 前

README

kses 0.2.2 README [kses strips evil scripts!]
=================


* INTRODUCTION *


Welcome to kses - an HTML/XHTML filter written in PHP. It removes all unwanted
HTML elements and attributes, no matter how malformed HTML input you give it.
It also does several checks on attribute values. kses can be used to avoid
Cross-Site Scripting (XSS), Buffer Overflows and Denial of Service attacks,
among other things.

The program is released under the terms of the GNU General Public License. You
should look into what that means, before using kses in your programs. You can
find the full text of the license in the file COPYING.


* FEATURES *


Some of kses' current features are:

* It will only allow the HTML elements and attributes that it was explicitly
told to allow.

* Element and attribute names are case-insensitive (a href vs A HREF).

* It will understand and process whitespace correctly.

* Attribute values can be surrounded with quotes, apostrophes or nothing.

* It will accept valueless attributes with just names and no values (selected).

* It will accept XHTML's closing " /" marks.

* Attribute values that are surrounded with nothing will get quotes to avoid
producing non-W3C conforming HTML
( works but isn't valid HTML).

* It handles lots of types of malformed HTML, by interpreting the existing
code the best it can and then rebuilding new code from it. That's a better
approach than trying to process existing code, as you're bound to forget about
some weird special case somewhere. It handles problems like never-ending
quotes and tags gracefully.

* It will remove additional "<" and ">" characters that people may try to
sneak in somewhere.

* It supports checking attribute values for minimum/maximum length and
minimum/maximum value, to protect against Buffer Overflows and Denial of
Service attacks against WWW clients and various servers. You can stop