Download the PHP package soosyze/kses without Composer

On this page you can find all versions of the php package soosyze/kses. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.

FAQ

After the download, you have to make one include require_once('vendor/autoload.php');. After that you have to import the classes with use statements.

Example:
If you use only one package a project is not needed. But if you use more then one package, without a project it is not possible to import the classes with use statements.

In general, it is recommended to use always a project to download your libraries. In an application normally there is more than one library needed.
Some PHP packages are not free to download and because of that hosted in private repositories. In this case some credentials are needed to access such packages. Please use the auth.json textarea to insert credentials, if a package is coming from a private repository. You can look here for more information.

  • Some hosting areas are not accessible by a terminal or SSH. Then it is not possible to use Composer.
  • To use Composer is sometimes complicated. Especially for beginners.
  • Composer needs much resources. Sometimes they are not available on a simple webspace.
  • If you are using private repositories you don't need to share your credentials. You can set up everything on our site and then you provide a simple download link to your team member.
  • Simplify your Composer build process. Use our own command line tool to download the vendor folder as binary. This makes your build process faster and you don't need to expose your credentials for private repositories.
Please rate this library. Is it a good library?

Example code of soosyze/kses

Informations about the package kses

Soosyze kses (kses strips evil scripts)

Build Status Coverage Status GitHub Packagist

Introduction

Welcome to kses - an HTML/XHTML filter written in PHP. It removes all unwanted HTML elements and attributes, no matter how malformed HTML input you give it. Checks on attribute values. Can be used to avoid Cross-Site Scripting (XSS), Buffer Overflows and Denial of Service attacks, among other things.

Pass the tests of protection against XSS attacks proposed by the OWASP® Foundation.

Features

Some of kses current features are:

Requirements

Version PHP

Version PHP Soosyze Kses 3.x
<= 7.1 ✗ Unsupported
7.2 / 7.3 / 7.4 ✓ Supported
8.0 / 8.1 / 8.2 ✓ Supported

Installation

Composer

To install Kses via Composer you must have the installer or the binary file Composer

Go to your project directory, open a command prompt and run the following command:

Or, if you use the binary file,

Use It

It's very easy to use kses in your own PHP web application! Basic usage looks like this:

This definition of $allowed means that only the elements b, i, a, p and br are allowed (along with their closing tags /b, /i, /a, /p and /br). b, i and br may not have any attributes. a may only have the attributes href and title, while p may only have the attribute align. You can list the elements and attributes in the array in any mixture of upper and lower case. kses will also recognize HTML code that uses both lower and upper case.

It's important to select the right allowed attributes, so you won't open up an XSS hole by mistake. Some important attributes that you mustn't allow include but are not limited to:

It's also important to note that kses HTML input must be cleaned of all slashes coming from magic quotes. If the rest of your code requires these slashes to be present, you can always add them again after calling kses with a simple addslashes() call.

Use It with allowlist

Authorization lists for tags and protocols are available :

kses attribute value checks

As you've probably already read in the README file, an $allowed_html array normally looks like this:

This sets what elements and attributes are allowed.

From kses 0.2.0, you can also perform some checks on the attribute values. You do it like this:

This means that kses should perform the maxlen check with the value 100 on the <a href=> value, as well as the maxval check with the value 20 on the <font size=> value.

The currently implemented checks (with more to come) are maxlen, maxval, minlen, minval and valueless.

maxlen

'maxlen' checks that the length of the attribute value is not greater than the given value. It is helpful against Buffer Overflows in WWW clients and various servers on the Internet. In my example above, it would mean that <a href='ftp://ftp.v1ct1m.com/AAAA..thousands_of_A's...'> wouldn't be accepted.

Of course, this problem is even worse if you put that long URL in a <frame> tag instead, so the WWW client will fetch it automatically without a user having to click it.

maxval

maxval checks that the attribute value is an integer greater than or equal to zero, that it doesn't have an unreasonable amount of zeroes or whitespace (to avoid Buffer Overflows), and that it is not greater than the given value. In my example above, it would mean that <font size='20'> is accepted but <font size='21'> is not. This check helps against Denial of Service attacks against WWW clients.

One example of this DoS problem is <iframe src="http://some.web.server/" width="20000" height="2000">, which makes some client machines completely overloaded.

minlen and minval

minlen and minval works the same as maxlen and maxval, except that they check for minimum lengths and values instead of maximum ones.

valueless

valueless checks if an attribute has a value (like <a href="blah">) or not (<option selected>). If the given value is a "y" or a "Y", the attribute must not have a value to be accepted. If the given value is an "n" or an "N", the attribute must have a value. Note that <a href=""> is considered to have a value, so there's a difference between valueless attributes and attribute values with the length zero.

You can combine more than one check, by putting one after the other in the inner array.

Allowed listed URL protocols

By default Kses loads with its own list of protocols:

Pretty reasonable, but anyone who wants to change it just calls the setAllowedProtocols() or addAlloweProtocol() function with a third parameter, like this:

Note that you shouldn't include any colon after http or other protocol names.

Bug reports

The first authors of Kses no longer seem to maintain the code. Used by Wordpress and Drupal, we will closely monitor their implementations.

If you have found any security problems (particularly XSS, naturally) in kses, please contact Soosyze CMS team privately on Discord, Mastodon or the Forum so he can correct it before you or someone else tells the public about it.

(No, it's not a security problem in kses if some program that uses it allows a bad attribute, silly. If kses is told to accept the element body with the attributes style and onLoad, it will accept them, even if that's a really bad idea, securitywise.)

The first authors of Kses

Thanks to

Thanks also go to a lot of people who posted to the Bugtraq and mailing lists about XSS or HTML filters. They gave us some valuable insights.

License

The program is released under the terms of the GNU General Public License. You should look into what that means, before using kses in your programs. You can find the full text of the license in the file LICENSE.

All versions of kses with dependencies

PHP Build Version
Package Version
Requires php Version >=7.2
Composer command for our command line client (download client) This client runs in each environment. You don't need a specific PHP version etc. The first 20 API calls are free. Standard composer command

The package soosyze/kses contains the following files

Loading the files please wait ....