[geeklog-devel] KSES

Mark Howard mark at the-howards.net
Fri Apr 25 13:13:17 EDT 2008

Apologies if this is already a known issue, I just happened to notice this
on bugtraq earlier this month:


Is 1.4.1 vulnerable?

Note that the solution recommends htmlpurifier in 'kses compatibility mode',
there are a couple of wrappers:




-----Original Message-----
From: geeklog-devel-bounces at lists.geeklog.net
[mailto:geeklog-devel-bounces at lists.geeklog.net] On Behalf Of Tony Bibbs
Sent: Friday, April 25, 2008 9:50 AM
To: Geeklog Development
Subject: Re: [geeklog-devel] KSES

Yeah, took a look at what you sent and the site you gave did mention a few
other noteable CMS type things that use it (one of my other points).  That
with what you sent below and I think I'm convinced.  My biggest gripe was
that KSES is a single file...HTML Purifier is a true library with lots of
files but they do a "stand alone" version which puts as much of the features
into as few files as possible.

Thanks, Michael.


----- Original Message ----
From: Michael Jervis <mjervis at gmail.com>
To: Geeklog Development <geeklog-devel at lists.geeklog.net>
Sent: Friday, April 25, 2008 1:38:40 AM
Subject: Re: [geeklog-devel] KSES

On Thu, Apr 24, 2008 at 6:23 PM, Tony Bibbs <tony at tonybibbs.com> wrote:
> The notion of whitelisting is an approach I like for this sort of stuff...

HTML Purifier is a white-list based approach.

>  The library is a single class file so it hardly constitutes a "project".

Semantics! KSES is not maintained, so the GL/GL2 projects would have
to maintain our own version. And fix all security issues. HTML
Purifier is an active project and used by the Zend Framework, so will
continue to be maintained for a long time and actively developed to
protect against new and evolving attack vectors.

> Anything we'd do with HTML Purifier would include a class to use it,

HTML Purifier is an Object Oriented PHP5 solution. (They have a PHP4 port

> So one file (KSES) or multiple files (KSES replacement class that uses
HTML Purifier + all > the HTML Purifier files).

HTML Purifier ships with a drop in replacement function for the
original procedural distro that replaces calls to kses() with
marshalling of HTML Purifier. Might be trivial to replace the GL1 KSES
(class) approach with a wrapper to HTML Purifier.

>  Am I missing something?  I want to be sure I'm not missing something.


+ We have experience with it.
- It's not maintained at all

HTML Purifier:
+ It's actively maintained (and used by the Zend Framework)
+ It's OO PHP5
+ It enforces standards compliant HTML
- We have no experience with it.

I'd go with an adapter class around HTML Purifier, then you are not
tied to a given framework and when there is a new hotness it can be
swapped out. Or, can the GL2 Framework support completely plugin
driven purification?


geeklog-devel mailing list
geeklog-devel at lists.geeklog.net

geeklog-devel mailing list
geeklog-devel at lists.geeklog.net

More information about the geeklog-devel mailing list