%k25u25%fgd5n!?%k25u25%fgd5n!%k25u25%fgd5n!?%k25u25%fgd5n!home/yeshuare/www_save/ecrire/lib/safehtml/readme.txt000066600000007323151467166520017031 0ustar00SafeHTML -------- Version 1.3.7. http://pixel-apes.com/safehtml/ -------- This parser strips down all potentially dangerous content within HTML: * opening tag without its closing tag * closing tag without its opening tag * any of these tags: "base", "basefont", "head", "html", "body", "applet", "object", "iframe", "frame", "frameset", "script", "layer", "ilayer", "embed", "bgsound", "link", "meta", "style", "title", "blink", "xml" etc. * any of these attributes: on*, data*, dynsrc * javascript:/vbscript:/about: etc. protocols * expression/behavior etc. in styles * any other active content It also tries to convert code to XHTML valid, but htmltidy is far better solution for this task. If you found any bugs in this parser, please inform me -- ICQ:551593 or mailto:thingol@mail.ru Please, subscribe to http://pixel-apes.com/safehtml/feed/rss feed in order to receive notices when SAFEHTML will be updated. -- Roman Ivanov. -- Pixel-Apes ( http://pixel-apes.com ). -- JetStyle ( http://jetstyle.ru/ ). -------- Version history: -------- 1.3.7. * Added 'dl' to the list of 'lists' tags. * Added 'callto' to the white list of protocols. * Added white list of "namespaced" attributes. 1.3.6. * More accurate UTF-7 decoding. 1.3.5. * Two serious security flaws fixed: UTF-7 XSS and CSS comments handling. 1.3.2. * Security flaw (improper quotes handling in attributes' values) fixed. Big thanks to Nick Cleaton. 1.3.1. * Dumb bug fixed (some closing tags were ignored). 1.3.0. * Two holes (with decimal HTML entities and with \x00 symbol) fixed. * Class rewritten under PEAR coding standarts. * Class now uses unmodified HTMLSax3 from PEAR. * To the list of table tags added: "caption", "col", "colgroup". 1.2.1. * It was possible to create XSS with hexadecimal HTML entities. Fixed. Big thanks to Christian Stocker. 1.2.0. * "id" and "name" attributes added to dangerous attributes list, because malefactor can broke legal javascript by spoofing ID or NAME of some element. * New method parse() allows to do all parsing process in two lines of code. Examples also updated. * New array, closeParagraph, contains list of block-level elements. When we open such elemet, we should close paragraph before. . It allows SafeHTML to produce more XHTML compliant code. * Added "webcal" to white list of protocols for those who uses calendar programs (Mozilla/iCal/etc). * Now SafeHTML strips down table elements when we are not inside table. * Now SafeHTML correctly closes unclosed "li" tags: before opening "li" of the same nesting level. 1.1.0. * New "dangerous" protocols: hcp, ms-help, help, disk, vnd.ms.radio, opera, res, resource, chrome, mocha, livescript. * tag was moved from "tags for deletion" to "tags for deletion with content". * New "dangerous" CSS instruction "include-source" (NN4 specific). * New array, Attributes, contains list of attributes for removal. If you need to remove "id" or "name" attribute, just add it to this array. * Now it is possible to choose between white-list and black-list filtering of protocols. Defaults are "white-list". This list is: "http", "https", "ftp", "telnet", "news", "nntp", "gopher", "mailto", "file". * For speed purposes, we now filter protocols only from these attributes: src, href, action, lowsrc, dynsrc, background, codebase. * Opera6 XSS bug ([\xC0][\xBC]script>alert(1)[\xC0][\xBC]/script> [UTF-8] workarounded. 1.0.4. New "dangerous" tag: plaintext. 1.0.3. Added array of elements that can have no closing tag. 1.0.2. Bug fix: attack. Thanks to shmel. 1.0.1. Bug fix: safehtml hangs on code. Thanks to lj user=electrocat. 1.0.0. First public release home/yeshuare/www/extensions/porte_plume/markitup/readme.txt000066600000004423151511234330020536 0ustar00markItUp! 1.1.3 CHANGE LOG markItUp! 1.1.3 2008-09-12 - Fixed: IE7 preview problem markItUp! 1.1.2 2008-07-17 - Fixed: Quick fix for Opera 9.5 caret position problem after insertion markItUp! 1.1.1 2008-06-02 - Fixed: Key events status are passed to callbacks properly - Improved: ScrollPosition is kept in the preview when its refreshed markItUp! 1.1.0 2008-05-04 - Modified: Textarea's id is no more moved to the main container - Modified: NameSpace Span become a Div to remain strict - Added: Relative path to the script is computed - Added: Relative path to the script passed to callbacks - Added: Global instance ID property - Added: $(element).markItUpRemove() to remove markItUp! - Added: Resize handle is now optional with resizeHandle property - Added: Property previewInWindow is added and accept window parameter - Added: Property previewPosition is added - Modified: Resize handle is no more displayed in Safari to avoid repetition with the native handle - Modified: Property previewIframeRefresh become previewAutorefresh - Modified: Built-in Html Preview call a template file - Improved: Autorefreshing is now apply for preview in window too - Improved: Cancel button in prompt window cancel now the whole insertion process - Improved: Cleaner markItUp! code added to the DOM - Removed: Depreciated preview properties as previewBaseUrl, previewCharset, previewCssPath, previewBodyId, previewBodyClassName - Removed: Property previewIframe not longer exists - Fixed: "Magic markups" works with line feeds - Fixed: Key events are initialized after insertion - Fixed: Internet Explorer line feed offset bug - Fixed: Shortcut keys on Mac OS - Fixed: Ctrl+click works and doesn't open Mac context menu anymore - Fixed: Ctrl+click works and doesn't open the page in a new tab anymore - Fixed: Minor Css modifications markItUp! 1.0.3 2008-04-04 - Fixed: IE7 Preview empty baseurl problem - Fixed: IE7 external targeted insertion - Added: Property scrollPosition is passed to callbacks functions markItUp! 1.0.2 2008-03-31 - Fixed: IE7 Html preview problems - Fixed: Selection is kept if nothing is inserted - Improved: Code minified markItUp! 1.0.1 2008-03-21 - Removed: Global PlaceHolder - Modified: Property previewCharset is setted to "utf-8" by default markItUp! 1.0.0 2008-03-01 - First public release home/yeshuare/www/extensions/safehtml/lib/safehtml/readme.txt000066600000007444151512700550020534 0ustar00SafeHTML -------- Version 1.3.7. http://pixel-apes.com/safehtml/ -------- This parser strips down all potentially dangerous content within HTML: * opening tag without its closing tag * closing tag without its opening tag * any of these tags: "base", "basefont", "head", "html", "body", "applet", "object", "iframe", "frame", "frameset", "script", "layer", "ilayer", "embed", "bgsound", "link", "meta", "style", "title", "blink", "xml" etc. * any of these attributes: on*, data*, dynsrc * javascript:/vbscript:/about: etc. protocols * expression/behavior etc. in styles * any other active content It also tries to convert code to XHTML valid, but htmltidy is far better solution for this task. If you found any bugs in this parser, please inform me -- ICQ:551593 or mailto:thingol@mail.ru Please, subscribe to http://pixel-apes.com/safehtml/feed/rss feed in order to receive notices when SAFEHTML will be updated. -- Roman Ivanov. -- Pixel-Apes ( http://pixel-apes.com ). -- JetStyle ( http://jetstyle.ru/ ). -------- Version history: -------- 1.3.7. * Added 'dl' to the list of 'lists' tags. * Added 'callto' to the white list of protocols. * Added white list of "namespaced" attributes. 1.3.6. * More accurate UTF-7 decoding. 1.3.5. * Two serious security flaws fixed: UTF-7 XSS and CSS comments handling. 1.3.2. * Security flaw (improper quotes handling in attributes' values) fixed. Big thanks to Nick Cleaton. 1.3.1. * Dumb bug fixed (some closing tags were ignored). 1.3.0. * Two holes (with decimal HTML entities and with \x00 symbol) fixed. * Class rewritten under PEAR coding standarts. * Class now uses unmodified HTMLSax3 from PEAR. * To the list of table tags added: "caption", "col", "colgroup". 1.2.1. * It was possible to create XSS with hexadecimal HTML entities. Fixed. Big thanks to Christian Stocker. 1.2.0. * "id" and "name" attributes added to dangerous attributes list, because malefactor can broke legal javascript by spoofing ID or NAME of some element. * New method parse() allows to do all parsing process in two lines of code. Examples also updated. * New array, closeParagraph, contains list of block-level elements. When we open such elemet, we should close paragraph before. . It allows SafeHTML to produce more XHTML compliant code. * Added "webcal" to white list of protocols for those who uses calendar programs (Mozilla/iCal/etc). * Now SafeHTML strips down table elements when we are not inside table. * Now SafeHTML correctly closes unclosed "li" tags: before opening "li" of the same nesting level. 1.1.0. * New "dangerous" protocols: hcp, ms-help, help, disk, vnd.ms.radio, opera, res, resource, chrome, mocha, livescript. * tag was moved from "tags for deletion" to "tags for deletion with content". * New "dangerous" CSS instruction "include-source" (NN4 specific). * New array, Attributes, contains list of attributes for removal. If you need to remove "id" or "name" attribute, just add it to this array. * Now it is possible to choose between white-list and black-list filtering of protocols. Defaults are "white-list". This list is: "http", "https", "ftp", "telnet", "news", "nntp", "gopher", "mailto", "file". * For speed purposes, we now filter protocols only from these attributes: src, href, action, lowsrc, dynsrc, background, codebase. * Opera6 XSS bug ([\xC0][\xBC]script>alert(1)[\xC0][\xBC]/script> [UTF-8] workarounded. 1.0.4. New "dangerous" tag: plaintext. 1.0.3. Added array of elements that can have no closing tag. 1.0.2. Bug fix: attack. Thanks to shmel. 1.0.1. Bug fix: safehtml hangs on code. Thanks to lj user=electrocat. 1.0.0. First public release