You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Maïeul ad614ef440 SVP est sensible à l'odre des balises dans paquet.xml 7 months ago
classes Mise a jour de SafeHTML en version 1.3.12 depuis 7 months ago
index.php passage de safehtml en plugin (ou plutot extension fortement recommandee) 12 years ago
license.txt Mise a jour de SafeHTML en version 1.3.12 depuis 7 months ago
readme-SPIP.txt Mise a jour de SafeHTML pour le support de HTML5 notamment 3 years ago
readme.txt Mise a jour de SafeHTML en version 1.3.12 depuis 7 months ago


Version 1.3.12.

This parser strips down all potentially dangerous content within HTML:
* opening tag without its closing tag
* closing tag without its opening tag
* any of these tags: "base", "basefont", "head", "html", "body", "applet", "object",
"iframe", "frame", "frameset", "script", "layer", "ilayer", "embed", "bgsound",
"link", "meta", "style", "title", "blink", "xml" etc.
* any of these attributes: on*, data*, dynsrc
* javascript:/vbscript:/about: etc. protocols
* expression/behavior etc. in styles
* any other active content
It also tries to convert code to XHTML valid, but htmltidy is far better solution for this task.

If you found any bugs in this parser, please file an issue --

Please, subscribe to in order to receive notices
when SAFEHTML will be updated.

-- Roman Ivanov.
-- Pixel-Apes ( ).
-- JetStyle ( ).

Version history:
* added missing HTML5 tag terminators for paragraph
* removed obsolete and deprecated HTML elements
* added new HTML5 Block-level elements
* Replaced preg_replace() e modifier with preg_replace_callback
* UTF-7 XSS vulnerability fixed
* Allowed tags with setAllowTags() method.
* AllowTags can be disabled using resetAllowTags()
* Added 'dl' to the list of 'lists' tags.
* Added 'callto' to the white list of protocols.
* Added white list of "namespaced" attributes.
* More accurate UTF-7 decoding.
* Two serious security flaws fixed: UTF-7 XSS and CSS comments handling.
* Security flaw (improper quotes handling in attributes' values) fixed. Big thanks to Nick Cleaton.
* Dumb bug fixed (some closing tags were ignored).
* Two holes (with decimal HTML entities and with \x00 symbol) fixed.
* Class rewritten under PEAR coding standards.
* Class now uses unmodified HTMLSax3 from PEAR.
* To the list of table tags added: "caption", "col", "colgroup".
* It was possible to create XSS with hexadecimal HTML entities. Fixed. Big thanks to Christian Stocker.
* "id" and "name" attributes added to dangerous attributes list, because malefactor can broke legal javascript by spoofing ID or NAME of some element.
* New method parse() allows to do all parsing process in two lines of code. Examples also updated.
* New array, closeParagraph, contains list of block-level elements. When we open such element, we should close paragraph before. . It allows SafeHTML to produce more XHTML compliant code.
* Added "webcal" to white list of protocols for those who uses calendar programs (Mozilla/iCal/etc).
* Now SafeHTML strips down table elements when we are not inside table.
* Now SafeHTML correctly closes unclosed "li" tags: before opening "li" of the same nesting level.
* New "dangerous" protocols: hcp, ms-help, help, disk,, opera, res, resource, chrome, mocha, livescript.
* <XML> tag was moved from "tags for deletion" to "tags for deletion with content".
* New "dangerous" CSS instruction "include-source" (NN4 specific).
* New array, Attributes, contains list of attributes for removal. If you need to remove "id" or "name" attribute,
just add it to this array.
* Now it is possible to choose between white-list and black-list filtering of protocols. Defaults are "white-list".
This list is: "http", "https", "ftp", "telnet", "news", "nntp", "gopher", "mailto", "file".
* For speed purposes, we now filter protocols only from these attributes: src, href, action, lowsrc, dynsrc,
background, codebase.
* Opera6 XSS bug ([\xC0][\xBC]script>alert(1)[\xC0][\xBC]/script> [UTF-8] workarounded.
New "dangerous" tag: plaintext.
Added array of elements that can have no closing tag.
Bug fix: <img src="&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;alert(1);"> attack.
Thanks to shmel.
Bug fix: safehtml hangs on <style></style></style> code.
Thanks to lj user=electrocat.
First public release