Closed Baker68 closed 2 years ago
Thanks for your report.
I wish I could prevent this, but actually I realize I cann't.
This issue is same as https://github.com/taoqf/node-html-parser/issues/51 . it's not due to the attribute__proto__
but =
in attribute value.
This is a different issue, I think. Just requires checking if attribute name === '__proto__' and rejecting it
Corrected in v5
I`m don't think it can lead to a remote code execution, but I think that you should prevent this.
Other examples :