On 03/01/11 20:48, Philip Tzou wrote:
> According to its website, "phpQuery is a server-side, chainable, CSS3
> selector driven Document Object Model (DOM) API based on jQuery JavaScript
> Library."
>
> I feel it will be very convenient if we introduce such jquery-like tools
> into MediaWiki since we do have the need to parse HTML text. For example, I
> can replace the awful regex part of LanguageConverter::autoConvert with
> phpQuery.
>
> So I want to ask is it possible to introduce phpQuery into MediaWiki?
CSS selectors are the worst part of jQuery, I wish they weren't in it.
Sizzle is slow and bulky -- necessarily so considering what it does,
but a more sensible function-based API could have exposed a rich
feature set to users without introducing nearly so much overhead.
The overloaded $() function encourages sloppy escaping practices,
leading to bugs and possibly even XSS vulnerabilities:
var elementName = elementInput.value;
var elts = $(elementName);
Can construct a <script> node in a DocumentFragment, which I believe
may be immediately executed in some browsers.
var className = classInput.value;
var elts = $("#myid ." + className);
Arbitrary selector construction could have security consequences, such
as DoS. What exactly is the correct escaping or validation function
for a class name in CSS? jQuery doesn't provide any help.
PHP already provides XPath, which is integrated with the DOM extension
and is just as feature-rich as CSS. We use it in the ImageMap
extension. So if you wanted an insecure text protocol for DOM node
selection, you could just use that.
<http://projects.webappsec.org/w/page/13247005/XPath-Injection>
-- Tim Starling
_______________________________________________
Wikitech-l mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
