Feature #2969
The old kses-0.2.2 library should be removed
50%
Description
The formvalidator feature still relies on the old library kses. On the other hand, we use HTMLPurifier as better solution for producing well-formed and secure html code.
The suggestion is:
1. The kses emulation feature (the function kses()) that exists in chamilo/main/inc/lib/HTMLPurifier/library/HTMLPurifier.kses.php to be set/adjusted and to be used as a replacement of the original function kses().
2. The library chamilo/main/inc/lib/kses-0.2.2 to be removed.
History
Updated by Yannick Warnier over 8 years ago
Updated by Agreed. The Kses library ceased to be maintained a long time ago. This is why we moved to HTMLPurifier in the first place.
Updated by Ivan Tcholakov over 8 years ago
Updated by I did some analysis, maybe it is not the right moment for this suggestion. HTMLPurifier is a heavy solution, I am not sure what would happen. Can we move this task for Chamilo 1.8.8.1?
I found that WordPress has a patched kses version. It would allow me to enable safely the html style-attribute (I need it for another task).
For Chamilo 1.8.8 I would like to patch the kses library and in the next release we may try to remove it. Is this OK?
Updated by Ivan Tcholakov over 8 years ago
- Status changed from New to Assigned
- Assignee set to Ivan Tcholakov
I am choosing the more cautious way, first to upgrade the kses library.
14023:f346effc1936 Task #2969 - Preparing the kses library for upgrade, cleaning whitespace, adding the original file (renamed).
http://code.google.com/p/chamilo/source/detail?r=f346effc1936b305d301c6d55688e18e5929da07&repo=classic
Updated by Ivan Tcholakov over 8 years ago
14024:2acabacc1d6e Task #2969 - Replacing the original kses library with its version from Moodle (GNU/GPL3 license + 1 patch + re-styled comments).
http://code.google.com/p/chamilo/source/detail?r=2acabacc1d6e855b8b168f6b1a319de6aead3a9d&repo=classic
Updated by Ivan Tcholakov over 8 years ago
14025:7841ab3918e3 Task #2969 - Cleaning comments.
http://code.google.com/p/chamilo/source/detail?r=7841ab3918e31c9e04fbb9a576a4e63d610e79f5&repo=classic
Updated by Ivan Tcholakov over 8 years ago
14026:4b35790399dc Task #2969 - Cosmetic changes.
http://code.google.com/p/chamilo/source/detail?r=4b35790399dc6c7031ce80543d7c2edcefc945a6&repo=classic
Updated by Ivan Tcholakov over 8 years ago
14027:572663de38f5 Task #2969 - Cleaning whitespace in the file allowed_tags.inc.php.
http://code.google.com/p/chamilo/source/detail?r=572663de38f5f2930bc109bc9303ec2862c21d0f&repo=classic
Updated by Ivan Tcholakov over 8 years ago
14028:d5810756ed7d Task #2969 - kses: Applying some fixes from WordPress 3.1 (1).
http://code.google.com/p/chamilo/source/detail?r=d5810756ed7d1be06807b4251d349999ab5ddac1&repo=classic
Updated by Ivan Tcholakov over 8 years ago
14029:bbc21ad9c2c3 Task #2969 - kses: Applying some fixes from WordPress 3.1 (2), adding code for sanitizing inline css definitions.
http://code.google.com/p/chamilo/source/detail?r=bbc21ad9c2c3228141529dc561054f174f9bf75b&repo=classic
Updated by Ivan Tcholakov over 8 years ago
14030:a36f046026fd Tasks #1297 and #2969 - Enabling style-tags and style-attributes.
http://code.google.com/p/chamilo/source/detail?r=a36f046026fd7e30190018339b691d706c3ca760&repo=classic
Updated by Ivan Tcholakov over 8 years ago
14031:3ad7064df0b4 Task #2969 - kses: Applying some fixes from WordPress 3.1 (3).
http://code.google.com/p/chamilo/source/detail?r=3ad7064df0b421a9455ca52ac9ca2d8e76d989c6&repo=classic
Updated by Ivan Tcholakov over 8 years ago
14032:f3e64d5e046a Task #2969 - kses: Applying some fixes from WordPress 3.1 (4).
http://code.google.com/p/chamilo/source/detail?r=f3e64d5e046aa2c31c5bc0edc3632746bee8d32f&repo=classic
Updated by Ivan Tcholakov over 8 years ago
- Target version changed from 1.8.8 beta to 1.8.8.4
- % Done changed from 0 to 50
14033:75d4fba88ad0 Task #2969 - kses: Applying some fixes from WordPress 3.1 (5).
http://code.google.com/p/chamilo/source/detail?r=75d4fba88ad01bfd700cb1fc4142fce24b065ab5&repo=classic
The kses library has been upgraded. For the next release Chamilo 1.8.8.1 we will decide whether it should stay or not.
Updated by Yannick Warnier over 8 years ago
Ivan Tcholakov wrote:
For Chamilo 1.8.8 I would like to patch the kses library and in the next release we may try to remove it. Is this OK?
Yes, no problem and no hurry. HTMLPurifier's developer is apparently a very active guy, so if there are things that can be improved in there, I bet sending the suggestion his way might generate beneficial interaction.
Updated by Ivan Tcholakov over 8 years ago
14052:3c7d6fabc97b Task #2969 - Adding a comment.
http://code.google.com/p/chamilo/source/detail?r=3c7d6fabc97b25104f21ddb4807ecbfa11ede44c&repo=classic
Updated by Ivan Tcholakov over 8 years ago
I think about another possible solution that allows system administrator's choice. In the page "Configuration settings > Security" an option can be added: "XSS protection implementation [HTMLPurifier | kses]".
Updated by Yannick Warnier over 8 years ago
Ivan Tcholakov wrote:
I think about another possible solution that allows system administrator's choice. In the page "Configuration settings > Security" an option can be added: "XSS protection implementation [HTMLPurifier | kses]".
Agreed. Please wait until after 1.8.8! to add the option (or do it very fast before 1.8.8 beta this Thursday :-p).
Updated by Yannick Warnier over 7 years ago
- Target version changed from 1.9 Beta to 2.0
Did not have time to implement this. Moving to next version, otherwise won't be releasing a 1.9 anytime soon.