pquery icon indicating copy to clipboard operation
pquery copied to clipboard
verified publisher icon tburry

Bug <tag><hello</tag>

Open asch3ron opened this issue 9 years ago • 1 comments

Hello,

I'm parsing some game reports, and players can choose their own name. (here it's <:::::::::::::)=o)

$dom            = \pQuery::parseStr('<td><:::::::::::::)=o</td><td>1,524</td><td>29</td>');
foreach ($dom->query('td') as $td)
{
    var_dump($td->text());
}

Results:

string(7) "1,52429"
string(5) "1,524"
string(2) "29"

The <td><:::::::::::::)=o</td> is missing. Is that a known bug ?

Thanks,

asch3ron avatar Feb 01 '17 13:02 asch3ron

Hi @asch3ron, I hope you solved your problem. I just stumbled into this issue and I wanted to let you know that this is probably both a bug in the library and a security hole in your application, specifically persistent XSS. Input from the user should always be sanitised. Imagine if a user enters as her name <script src="url_of_malicious_code"></script>! The script will run for every user that sees the malicious user's name in any page and very bad things can happen. Or maybe I am just being paranoid...

jotaelesalinas avatar Jan 31 '18 21:01 jotaelesalinas