attribute-value-checks

eGroupWare is a multi-user, web-based groupware suite developed on a custom set of PHP-based APIs. C

kses attribute value checks
===========================

As you've probably already read in the README file, an $allowed_html array
normally looks like this:

$allowed = array('b' => array(),
                 'i' => array(),
                 'a' => array('href' => 1,
                              'title' => 1),
                 'p' => array('align' => 1),
                 'br' => array());

This sets what elements and attributes are allowed.

From kses 0.2.0, you can also perform some checks on the attribute values. You
do it like this:

$allowed = array('b' => array(),
                 'i' => array(),
                 'a' => array('href' =>
                                array('maxlen' => 100),
                              'title' => 1),
                 'p' => array('align' => 1),
                 'font' => array('size' =>
                                array('maxval' => 20)),
                 'br' => array());

This means that kses should perform the maxlen check with the value 100 on the
<a href=> value, as well as the maxval check with the value 20 on the <font
size=> value.

The currently implemented checks (with more to come) are 'maxlen', 'maxval',
'minlen', 'minval' and 'valueless'.

'maxlen' checks that the length of the attribute value is not greater than the
given value. It is helpful against Buffer Overflows in WWW clients and various
servers on the Internet. In my example above, it would mean that
"<a href='ftp://ftp.v1ct1m.com/AAAA..thousands_of_A's...'>" wouldn't be
accepted.

Of course, this problem is even worse if you put that long URL in a <frame>
tag instead, so the WWW client will fetch it automatically without a user
having to click it.

'maxval' checks that the attribute value is an integer greater than or equal to
zero, that it doesn't have an unreasonable amount of zeroes or whitespace (to
avoid Buffer Overflows), and that it is not greater than the given value. In
my example above, it would mean that "<font size='20'>" is accepted but
"<font size='21'>" is not. This check helps against Denial of Service attacks
against WWW clients.

One example of this DoS problem is <iframe src="http://some.web.server/"
width="20000" height="2000">, which makes some client machines completely
overloaded.

'minlen' and 'minval' works the same as 'maxlen' and 'maxval', except that they
check for minimum lengths and values instead of maximum ones.

'valueless' checks if an attribute has a value (like <a href="blah">) or not
(<option selected>). If the given value is a "y" or a "Y", the attribute must
not have a value to be accepted. If the given value is an "n" or an "N", the
attribute must have a value. Note that <a href=""> is considered to have a
value, so there's a difference between valueless attributes and attribute
values with the length zero.

You can combine more than one check, by putting one after the other in the
inner array.