Bug <tag><hello</tag> - Githubissues

tburry / pquery

A jQuery like html dom parser written php.

GNU Lesser General Public License v2.1

135 stars 25 forks source link

Bug <tag><hello</tag> #13

Open asch3ron opened 7 years ago

asch3ron commented 7 years ago

Hello,

I'm parsing some game reports, and players can choose their own name. (here it's <:::::::::::::)=o)

$dom            = \pQuery::parseStr('<td><:::::::::::::)=o</td><td>1,524</td><td>29</td>');
foreach ($dom->query('td') as $td)
{
    var_dump($td->text());
}

Results:

string(7) "1,52429"
string(5) "1,524"
string(2) "29"

The <td><:::::::::::::)=o</td> is missing. Is that a known bug ?

Thanks,

jotaelesalinas commented 6 years ago

Hi @asch3ron, I hope you solved your problem. I just stumbled into this issue and I wanted to let you know that this is probably both a bug in the library and a security hole in your application, specifically persistent XSS. Input from the user should always be sanitised. Imagine if a user enters as her name <script src="url_of_malicious_code"></script>! The script will run for every user that sees the malicious user's name in any page and very bad things can happen. Or maybe I am just being paranoid...