[geeklog-devel] KSES

Tony Bibbs tony at tonybibbs.com
Thu Apr 24 13:23:38 EDT 2008

The notion of whitelisting is an approach I like for this sort of stuff...assume all HTML is bad unless told otherwise.  Couple it with a tool like Flexy that hates JS by default and you have the underpinnings of a system that enforces some notion of security on developers.  

The library is a single class file so it hardly constitutes a "project". Anything we'd do with HTML Purifier would include a class to use it, right?  So one file (KSES) or multiple files (KSES replacement class that uses HTML Purifier + all the HTML Purifier files).  

Am I missing something?  I want to be sure I'm not missing something.  I'm also all ears on other alternatives.  Back in the day when I use to really code in my free time I'd go see how some of the other CMS projects do this but I'm lacking that time.  If someone wants to sign up to do just some basic browsing CVS/SVN trees for other projects I'd be willing to hold off doing anything with KSES.  

To be clear, though, KSES is one of the things holding up our GL2 alpha.


----- Original Message ----
From: Michael Jervis <mjervis at gmail.com>
To: Geeklog Development <geeklog-devel at lists.geeklog.net>
Cc: Justin Carlson <justin.carlson at gmail.com>
Sent: Tuesday, April 22, 2008 12:48:35 AM
Subject: Re: [geeklog-devel] KSES

Tony, why still using KSES? Given it's an abandoned project that's not
maintained we'll have repeats of this for all time won't we?

Why not HTML Purifier or something else?

Of course, happy to have your patched version ;-)

On Mon, Apr 21, 2008 at 8:27 PM, Tony Bibbs <tony at tonybibbs.com> wrote:
> I don't remember where that ended up but I do recall Dirk mentioning this not too long ago.  GL 2 is using KSES too.  Justin has agreed to patch the current PHP5 version we have and get it to you guys.  Assuming you are all dropping PHP4 support you are done but, if not, then you'll need to back port it to PHP4.  I'm sure we could at least provide a diff to make this easier if required.
>  --Tony
>  _______________________________________________
>  geeklog-devel mailing list
>  geeklog-devel at lists.geeklog.net
>  http://eight.pairlist.net/mailman/listinfo/geeklog-devel

Michael Jervis
mjervis at gmail.com
geeklog-devel mailing list
geeklog-devel at lists.geeklog.net

More information about the geeklog-devel mailing list