Vanilla 1 is no longer supported or maintained. If you need a copy, you can get it here.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.


ToivoToivo New
edited September 2006 in Vanilla 1.0 Help
What could i say. Nice one. But is it actually needed for vanilla? "kses can be used to avoid Cross-Site Scripting (XSS), Buffer Overflows and Denial of Service attacks." But some extra locks on your door are good I guess


  • "Needed"? That depends.

    Never trust user input. Any place where you allow users to enter (X)HTML (as opposed to stripping or escaping it completely), you must handle it, or sit back and wait for your site to enable these jerks to screw around with your site and server. How you handle it is up to you.

    I believe that the HTML formatter does checks for JavaScript insertion (XSS).

    A benefit of kses is that, in addition to making sure a user isn't entering something naughty, you can also restrict what tags they can use and make sure all tags are closed properly (I think the HTML formatter does this bit too, not sure). For example, you might not want users to insert tables into their post, or leave tags unclosed, because that can screw up the rest of the page's display.
  • The html formatter restricts the number of tags you can use but as far as i'm aware it doesnt make sure theyre always closed properly.
  • edited July 2006
    Thank you for this extension. especialy for the closing tag issue.

    Do you still plan to add an help link?
  • Yes. I got it working with svn just great. I didn't know if I should add it for svn users (everyone else just wouldn't get the link): I wondered if having "useless" files (1 php file, 1 js file) - for the stable version of Vanilla - might confuse people? (e.g: "How come the help link doesn't show?!"). Mind you, those that want could try and add it by hand, by editing their theme file.
  • so it is still possible to post these nice youtube ja google videos in flash? /when kses shields are turned on
  • Sure, just add the tags and attributes you need to the config.
  • Is there a safe way to do this with only GoogleVideo and YouTube that would ensure that users couldn't embed something that would be a security risk? Such as a filter for the YouTube and GoogleVideo URLs.
  • Your user need to use a tag like [youtube]####[/youtube]. In the extension, you let kses take off all the not allowed tag, and parse again the post after it for [youtube]####[/youtube]. See the solution of bergamot for the BBcode:
  • NickENickE New
    edited August 2006
    I know this is old and everything, but I just thought I'd clarify a few things. Firstly, the Html Formatter extension (that I wrote) is a very 'defensive' formatter, if you will; it attempts to saftely give the user as much freedom as possible in regard to what he does with html, only removing entire tags when it is absolutely necessary (contrary to kses, which completely rebuilds the users' html). If you want more control over what the user can do with html, then kses is probably a better choice (although the formatter does have the ability to strip out inline styling, and extending the disallowed tags list is not hard at all). Secondly, it does have the option, as of v1.5, to make sure there are no stray opening or closing tags, to prevent users from messing up the forum structure. In the end, though, kses is a more used piece of software, so if you're really worried about users messing something up, kses would probably be less likely to contain bugs.
  • Is there any way to get the kses formatter to wrap paragraphs in <p> tags?
  • I could add a delegate, which would allow you to run any kind of formatter you wanted before kses is run. Then all you'd need to do is create a simple extension to apply any default formatting you wanted. Gimme a couple minutes...
  • Or, not. They're only for controls. Meh...
  • Mark has the answer. So, you've just gotta make yourself a new string formatter, and then call kses from it.
This discussion has been closed.