From fbb8fa2a15f565ca97e6d15371ce1234e716e2ab Mon Sep 17 00:00:00 2001
From: "Edward Z. Yang" <edwardzyang@thewritingpot.com>
Date: Sun, 2 Mar 2008 06:14:08 +0000
Subject: [PATCH] Update Comparison with htmLawed.

git-svn-id: http://htmlpurifier.org/svnroot@1590 48356398-32a2-884e-a903-53898d9a118a
---
 comparison.xhtml                      | 131 +++++++++++++++++++++++++++++++++-
 xhtml-compiler/XHTMLCompiler/Page.php |   1 +
 2 files changed, 129 insertions(+), 3 deletions(-)

diff --git a/comparison.xhtml b/comparison.xhtml
index b475dfd..c916f0d 100644
--- a/comparison.xhtml
+++ b/comparison.xhtml
@@ -151,6 +151,20 @@
 </tr>
 
 <tr>
+  <td>htmLawed</td>
+  <td>1.0.2</td>
+  <td>2008-02-13</td>
+  <td>GPL</td>
+  <td class="impl-partial">Elements</td>
+  <td class="impl-almostyes">Yes (user)</td>
+  <td class="impl-almostyes">Yes (user)</td>
+  <td class="impl-no">No</td>
+  <td class="impl-partial">Partial</td>
+  <td class="impl-no">Unlikely</td>
+  <td class="impl-no">No</td>
+</tr>
+
+<tr>
   <td>Safe HTML Checker</td>
   <td>n/a</td>
   <td>2003-09-15</td>
@@ -658,6 +672,114 @@ $allowedposttags = array (
   the whitelist to filter <abbr>HTML</abbr>.
 </p>
 
+<h2 id="htmLawed">htmLawed</h2>
+
+<p>
+  <a href="http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed/index.php">htmLawed</a>
+  is kses on steroids. After looking at HTML Purifier and deciding that it was
+  too slow for him, Santosh Patnaik went ahead and rewrote the kses engine
+  with more features. It is the only other filtering library currently available
+  that is being actively maintained. Very promising at first, but as I reviewed
+  it I became more and more dismayed.
+</p>
+
+<table class="summary">
+  <tr><th>Version</th>                <td class="impl-yes">1.0.2</td></tr>
+  <tr><th>Last update</th>            <td class="impl-irrelevant">2008-02-13</td></tr>
+  <tr><th>License</th>                <td class="impl-irrelevant">GPL</td></tr>
+  <tr><th>Whitelist</th>              <td class="impl-partial">Only elements</td></tr>
+  <tr><th>Removes foreign tags</th>   <td class="impl-almostyes">Yes, user defined</td></tr>
+  <tr><th>Makes well-formed</th>      <td class="impl-almostyes">Yes, user defined</td></tr>
+  <tr><th>Fixes nesting</th>          <td class="impl-no">No</td></tr>
+  <tr><th>Validates attributes</th>   <td class="impl-partial">Partial</td></tr>
+  <tr><th>XSS safe</th>               <td class="impl-no">Unlikely, user defined</td></tr>
+  <tr><th>Standards safe</th>         <td class="impl-no">No</td></tr>
+</table>
+
+<p>
+  The fact that htmLawed comes from kses means for a fairly unintelligible
+  codebase and heavily procedural code, as well as a dramatically lower memory
+  footprint and faster execution. However, htmLawed also attempts to reach feature
+  parity with HTML Purifier, although falls short in several areas.
+</p>
+
+<p>
+  Namely, standards compliance! htmLawed gets really close (dealing appropriately
+  with some of the higher profile cases touted by HTML Purifier), but still falls
+  flat in several areas. For example, it doesn't properly check the contents
+  of <code>table</code> tags:
+</p>
+
+<pre><![CDATA[<table><td>Cell</td></table>]]></pre>
+
+<p>
+  This is passed through unharmed, even though the content model of tables does
+  not permit table cells. As far as I can tell, fixing this completely (which
+  means also accounting for <code>thead</code> and ordering) is
+  not a trivial task, as kses was never built to inspect the children of a node.
+  The architecture of the library itself is deficient.
+</p>
+
+<p>
+  There are other cases in which dubious design decisions are visible. For example,
+  htmLawed is not <abbr>XSS</abbr>-safe out of the tin. This is
+  <a href="http://www.bioinformatics.org/phplabware/forum/viewtopic.php?id=28">by
+  design</a> (which, coincidentally, I think is very bad). I believe a user
+  has to define a safe tag-set in <code>elements</code>, define <em>all</em>
+  bad attributes in <code>deny_attribute</code> (blacklist rears its ugly head
+  for attributes),
+  disallow <code>comment</code>s (otherwise Internet Explorer users are vulnerable
+  to conditional comments), and, in all likelihood, do a few other things,
+  before you can open it up to Joe Random User. This is all
+  documented in the htmLawed documentation. But its terribly fragmented
+  and misrepresented with gems like the <q>following increase security risks</q>
+  and listing <code>script</code> afterwards. Of course it increases security risks:
+  <em>it makes your application insecure.</em>
+</p>
+
+<p>
+  All this is enough to make any person ask, <q>So, is htmLawed a filter or a 
+  tidy library?</q>
+</p>
+
+<p>
+  The answer is it is neither! Even in its most <em>permissive</em> mode, which allows a whole
+  host of JavaScript vectors, it "denies" the <code>javascript:</code> protocol.
+  You can't turn that off. And as we've mentioned before, it doesn't fix nesting
+  perfectly, and to add insult to injury, these features <em>can</em> be turned off.
+  It feels like the development attitude
+  has not been, <q>Deny everything, and then check each element carefully
+  for safety,</q> but rather, <q>Hit the major points and hope no-one notices the
+  deficiencies.</q> I mean, even the comparsion
+  with HTML Purifier contains inaccuracies: no, we don't support HTML 5 (we
+  only experimentally support an HTML 5 parser, which is quite different
+  from the HTML 5 tag-set), and yes, we do have <a href="live/configdoc/plain.html#URI.Munge">anti-spam
+  measures</a>.
+</p>
+
+<p>
+  htmLawed is a flawed library. But not fatally, I don't think.
+  Here are some suggestions:
+</p>
+
+<ul>
+  <li>Make a single configuration parameter that regulates <abbr>XSS</abbr> safety.
+    And then turn it on by default.</li>
+  <li>Then, make sure you don't kill off valid JavaScript when that
+    parameter is off.</li>
+  <li>Once you fix the <code>table</code> case I mention above, mosey over to
+    the <a href="http://www.w3.org/TR/REC-html40/struct/tables.html#edef-TABLE">W3C
+    specification</a> and check out the content model. Then do that for every
+    element in the HTML specification.</li>
+  <li>Implement a whitelist for attributes. Make sure that you can allow
+    attributes on one element but not another.</li>
+</ul>
+
+<p>
+  And probably more. But the above will suffice for now. Users, you may
+  be smarting for some better performance, but avoid this library for now.
+</p>
+
 <h2 id="Safe_HTML_Checker">Safe HTML Checker</h2>
 
 <p>
@@ -729,15 +851,18 @@ $allowedposttags = array (
   <tr><th>Object-Oriented</th><td class="impl-yes">Yes</td></tr>
   <tr><th>Validates CSS</th><td class="impl-yes">Yes</td></tr>
   <tr><th>Tables</th><td class="impl-yes">Yes</td></tr>
-  <tr><th>PHP 5 aware</th><td class="impl-yes">Yes</td></tr>
-  <tr><th>E_STRICT compliant</th><td class="impl-yes">Yes (use -strict)</td></tr>
+  <tr><th>PHP 5 only</th><td class="impl-yes">Yes</td></tr>
+  <tr><th>E_STRICT compliant</th><td class="impl-yes">Yes</td></tr>
+  <tr><th>Can auto-paragraph</th><td class="impl-yes">Yes</td></tr>
+  <tr><th>Extensible</th><td class="impl-yes">Yes</td></tr>
+  <tr><th>Unit tested</th><td class="impl-yes">Yes</td></tr>
 </table>
 
 <p>
   This is not to say that HTML Purifier doesn't have problems of its own.
   It's big (while the others usually fit in one file, this one requires a huge
   include list), and it's <a href="http://htmlpurifier.org/live/TODO">missing
-  features.</a> But even in its current state,
+  features.</a> But even with these deficiencies,
   HTML Purifier is far better than the other libraries.
 </p>
 
diff --git a/xhtml-compiler/XHTMLCompiler/Page.php b/xhtml-compiler/XHTMLCompiler/Page.php
index 52b8783..a88363e 100644
--- a/xhtml-compiler/XHTMLCompiler/Page.php
+++ b/xhtml-compiler/XHTMLCompiler/Page.php
@@ -66,6 +66,7 @@ class XHTMLCompiler_Page
                 'Requested directory cannot be found; check your file
                 path and try again.' );
         }
+        if ($dir[strlen($dir)-1] == '/') $dir = substr($dir, 0, -1);
         
         $allowed_dirs = $xc->getConf('allowed_dirs');
         $ok = false;
-- 
2.11.4.GIT