pquery icon indicating copy to clipboard operation
pquery copied to clipboard

Escaped values in attributes are converted back to characters

Open bschuiling opened this issue 9 years ago • 0 comments

When adding sanitized strings to attributes Pquery's output can break form element because it converted encodes strings back to the character values of those.

Proof of concept:

require_once('pquery/load_pquery.php'); 
$domObj = pQuery::parseStr('<input type="text" placeholder="Hello">'); 
$domObj->query('input')->attr('placeholder', '\&quot;&gt; &#039;'); 
echo $domObj->html(); 

Output: <input type="text" placeholder="\"> '" />

This is the result of this getInnerText() function in gan_node_html.php

function getInnerText() {
		return html_entity_decode($this->toString(true, true, 1), ENT_QUOTES);
}

I'm not sure what the purpose is for that line since pQuery doesn't seem to store those values encoded.

bschuiling avatar Jan 30 '17 13:01 bschuiling