tony at tonybibbs.com
Fri Apr 25 09:49:54 EDT 2008
Yeah, took a look at what you sent and the site you gave did mention a few other noteable CMS type things that use it (one of my other points). That with what you sent below and I think I'm convinced. My biggest gripe was that KSES is a single file...HTML Purifier is a true library with lots of files but they do a "stand alone" version which puts as much of the features into as few files as possible.
----- Original Message ----
From: Michael Jervis <mjervis at gmail.com>
To: Geeklog Development <geeklog-devel at lists.geeklog.net>
Sent: Friday, April 25, 2008 1:38:40 AM
Subject: Re: [geeklog-devel] KSES
On Thu, Apr 24, 2008 at 6:23 PM, Tony Bibbs <tony at tonybibbs.com> wrote:
> The notion of whitelisting is an approach I like for this sort of stuff...
HTML Purifier is a white-list based approach.
> The library is a single class file so it hardly constitutes a "project".
Semantics! KSES is not maintained, so the GL/GL2 projects would have
to maintain our own version. And fix all security issues. HTML
Purifier is an active project and used by the Zend Framework, so will
continue to be maintained for a long time and actively developed to
protect against new and evolving attack vectors.
> Anything we'd do with HTML Purifier would include a class to use it, right?
HTML Purifier is an Object Oriented PHP5 solution. (They have a PHP4 port too).
> So one file (KSES) or multiple files (KSES replacement class that uses HTML Purifier + all > the HTML Purifier files).
HTML Purifier ships with a drop in replacement function for the
original procedural distro that replaces calls to kses() with
marshalling of HTML Purifier. Might be trivial to replace the GL1 KSES
(class) approach with a wrapper to HTML Purifier.
> Am I missing something? I want to be sure I'm not missing something.
+ We have experience with it.
- It's not maintained at all
+ It's actively maintained (and used by the Zend Framework)
+ It's OO PHP5
+ It enforces standards compliant HTML
- We have no experience with it.
I'd go with an adapter class around HTML Purifier, then you are not
tied to a given framework and when there is a new hotness it can be
swapped out. Or, can the GL2 Framework support completely plugin
geeklog-devel mailing list
geeklog-devel at lists.geeklog.net
More information about the geeklog-devel