Work at SourceForge, help us to make it a better place! We have an immediate need for a Support Technician in our San Francisco or Denver office.

Close

#2 Colons in attributes

open-accepted
None
3
2005-04-23
2003-09-14
Ulf Harnhammar
No

Currently, kses doesn't handle colons in some attributes
well. In many cases, it thinks that they are a part of a
URL, and starts removing stuff with the whitelisting URL
function. This is bad, for attributes that don't take URLs.

It should be possible to switch on and off the
whitelisting URL protocol thing, to avoid this problem.

Discussion

  • Ulf Harnhammar
    Ulf Harnhammar
    2003-09-14

    • status: open --> open-accepted
     
  • Ulf Harnhammar
    Ulf Harnhammar
    2005-04-23

    • assigned_to: nobody --> metaur
     
  • nobunobu
    nobunobu
    2005-10-08

    Logged In: YES
    user_id=1270173

    For handling "stlye" attributes(it requires colons in it's
    value) in kses,
    I change a kses_hair() function with following way.

    find following lines (3 lines may be found)

    $thisval = kses_bad_protocol($match[1], $allowed_protocols);

    Replace these lines to following lines.

    if (strcasecmp($attrname,'style') != 0) { //hacked by
    NobuNobu for handling style attribute;
    $thisval = kses_bad_protocol($match[1], $allowed_protocols);
    } else {
    $thisval =
    preg_replace('/(^|;)\s*expression\s*\(/i','\\1XXexpressionXX(',$match[1]);

    To avoid executing invalid javascript in style attribute, I
    change "expression() " to "XXexpressionXX()".
    (because I could not find any regex to determine the end of
    "expression()".)

     
  • Logged In: NO

    I'm getting "padding:" stripped out from the style tag. Is
    there a workaround or fix for this?