[geeklog-devel] KSES

Michael Jervis mjervis at gmail.com
Fri Apr 25 02:38:40 EDT 2008

On Thu, Apr 24, 2008 at 6:23 PM, Tony Bibbs <tony at tonybibbs.com> wrote:
> The notion of whitelisting is an approach I like for this sort of stuff...

HTML Purifier is a white-list based approach.

>  The library is a single class file so it hardly constitutes a "project".

Semantics! KSES is not maintained, so the GL/GL2 projects would have
to maintain our own version. And fix all security issues. HTML
Purifier is an active project and used by the Zend Framework, so will
continue to be maintained for a long time and actively developed to
protect against new and evolving attack vectors.

> Anything we'd do with HTML Purifier would include a class to use it, right?

HTML Purifier is an Object Oriented PHP5 solution. (They have a PHP4 port too).

> So one file (KSES) or multiple files (KSES replacement class that uses HTML Purifier + all > the HTML Purifier files).

HTML Purifier ships with a drop in replacement function for the
original procedural distro that replaces calls to kses() with
marshalling of HTML Purifier. Might be trivial to replace the GL1 KSES
(class) approach with a wrapper to HTML Purifier.

>  Am I missing something?  I want to be sure I'm not missing something.


+ We have experience with it.
- It's not maintained at all

HTML Purifier:
+ It's actively maintained (and used by the Zend Framework)
+ It's OO PHP5
+ It enforces standards compliant HTML
- We have no experience with it.

I'd go with an adapter class around HTML Purifier, then you are not
tied to a given framework and when there is a new hotness it can be
swapped out. Or, can the GL2 Framework support completely plugin
driven purification?



More information about the geeklog-devel mailing list