Project

General

Profile

Feature #2969

The old kses-0.2.2 library should be removed

Added by Ivan Tcholakov almost 8 years ago. Updated over 6 years ago.

Status:
Assigned
Priority:
Normal
Category:
-
Target version:
Start date:
26/02/2011
Due date:
% Done:

50%

Estimated time:
Complexity:
Normal
SCRUM pts - complexity:
?

Description

The formvalidator feature still relies on the old library kses. On the other hand, we use HTMLPurifier as better solution for producing well-formed and secure html code.

The suggestion is:
1. The kses emulation feature (the function kses()) that exists in chamilo/main/inc/lib/HTMLPurifier/library/HTMLPurifier.kses.php to be set/adjusted and to be used as a replacement of the original function kses().
2. The library chamilo/main/inc/lib/kses-0.2.2 to be removed.

History

#1

Updated by Yannick Warnier almost 8 years ago

Agreed. The Kses library ceased to be maintained a long time ago. This is why we moved to HTMLPurifier in the first place.

#2

Updated by Ivan Tcholakov almost 8 years ago

I did some analysis, maybe it is not the right moment for this suggestion. HTMLPurifier is a heavy solution, I am not sure what would happen. Can we move this task for Chamilo 1.8.8.1?

I found that WordPress has a patched kses version. It would allow me to enable safely the html style-attribute (I need it for another task).

For Chamilo 1.8.8 I would like to patch the kses library and in the next release we may try to remove it. Is this OK?

#3

Updated by Ivan Tcholakov almost 8 years ago

  • Status changed from New to Assigned
  • Assignee set to Ivan Tcholakov

I am choosing the more cautious way, first to upgrade the kses library.

14023:f346effc1936 Task #2969 - Preparing the kses library for upgrade, cleaning whitespace, adding the original file (renamed).
http://code.google.com/p/chamilo/source/detail?r=f346effc1936b305d301c6d55688e18e5929da07&repo=classic

#4

Updated by Ivan Tcholakov almost 8 years ago

14024:2acabacc1d6e Task #2969 - Replacing the original kses library with its version from Moodle (GNU/GPL3 license + 1 patch + re-styled comments).
http://code.google.com/p/chamilo/source/detail?r=2acabacc1d6e855b8b168f6b1a319de6aead3a9d&repo=classic

#7

Updated by Ivan Tcholakov almost 8 years ago

14027:572663de38f5 Task #2969 - Cleaning whitespace in the file allowed_tags.inc.php.
http://code.google.com/p/chamilo/source/detail?r=572663de38f5f2930bc109bc9303ec2862c21d0f&repo=classic

#8

Updated by Ivan Tcholakov almost 8 years ago

14028:d5810756ed7d Task #2969 - kses: Applying some fixes from WordPress 3.1 (1).
http://code.google.com/p/chamilo/source/detail?r=d5810756ed7d1be06807b4251d349999ab5ddac1&repo=classic

#9

Updated by Ivan Tcholakov almost 8 years ago

14029:bbc21ad9c2c3 Task #2969 - kses: Applying some fixes from WordPress 3.1 (2), adding code for sanitizing inline css definitions.
http://code.google.com/p/chamilo/source/detail?r=bbc21ad9c2c3228141529dc561054f174f9bf75b&repo=classic

#10

Updated by Ivan Tcholakov almost 8 years ago

14030:a36f046026fd Tasks #1297 and #2969 - Enabling style-tags and style-attributes.
http://code.google.com/p/chamilo/source/detail?r=a36f046026fd7e30190018339b691d706c3ca760&repo=classic

#11

Updated by Ivan Tcholakov almost 8 years ago

14031:3ad7064df0b4 Task #2969 - kses: Applying some fixes from WordPress 3.1 (3).
http://code.google.com/p/chamilo/source/detail?r=3ad7064df0b421a9455ca52ac9ca2d8e76d989c6&repo=classic

#12

Updated by Ivan Tcholakov almost 8 years ago

14032:f3e64d5e046a Task #2969 - kses: Applying some fixes from WordPress 3.1 (4).
http://code.google.com/p/chamilo/source/detail?r=f3e64d5e046aa2c31c5bc0edc3632746bee8d32f&repo=classic

#13

Updated by Ivan Tcholakov almost 8 years ago

  • Target version changed from 1.8.8 beta to 1.8.8.4
  • % Done changed from 0 to 50

14033:75d4fba88ad0 Task #2969 - kses: Applying some fixes from WordPress 3.1 (5).
http://code.google.com/p/chamilo/source/detail?r=75d4fba88ad01bfd700cb1fc4142fce24b065ab5&repo=classic

The kses library has been upgraded. For the next release Chamilo 1.8.8.1 we will decide whether it should stay or not.

#14

Updated by Yannick Warnier almost 8 years ago

Ivan Tcholakov wrote:

For Chamilo 1.8.8 I would like to patch the kses library and in the next release we may try to remove it. Is this OK?

Yes, no problem and no hurry. HTMLPurifier's developer is apparently a very active guy, so if there are things that can be improved in there, I bet sending the suggestion his way might generate beneficial interaction.

#16

Updated by Ivan Tcholakov almost 8 years ago

I think about another possible solution that allows system administrator's choice. In the page "Configuration settings > Security" an option can be added: "XSS protection implementation [HTMLPurifier | kses]".

#17

Updated by Yannick Warnier almost 8 years ago

Ivan Tcholakov wrote:

I think about another possible solution that allows system administrator's choice. In the page "Configuration settings > Security" an option can be added: "XSS protection implementation [HTMLPurifier | kses]".

Agreed. Please wait until after 1.8.8! to add the option (or do it very fast before 1.8.8 beta this Thursday :-p).

#18

Updated by Yannick Warnier over 7 years ago

  • Target version changed from 1.8.8.4 to 1.9 Stable
#19

Updated by Yannick Warnier over 6 years ago

  • Target version changed from 1.9 Stable to 1.9 Beta
#20

Updated by Yannick Warnier over 6 years ago

  • Target version changed from 1.9 Beta to 2.0

Did not have time to implement this. Moving to next version, otherwise won't be releasing a 1.9 anytime soon.

Also available in: Atom PDF