On 03/01/11 20:48, Philip Tzou wrote:
According to its website, "phpQuery is a server-side, chainable, CSS3 selector driven Document Object Model (DOM) API based on jQuery JavaScript Library."
I feel it will be very convenient if we introduce such jquery-like tools into MediaWiki since we do have the need to parse HTML text. For example, I can replace the awful regex part of LanguageConverter::autoConvert with phpQuery.
So I want to ask is it possible to introduce phpQuery into MediaWiki?
CSS selectors are the worst part of jQuery, I wish they weren't in it. Sizzle is slow and bulky -- necessarily so considering what it does, but a more sensible function-based API could have exposed a rich feature set to users without introducing nearly so much overhead.
The overloaded $() function encourages sloppy escaping practices, leading to bugs and possibly even XSS vulnerabilities:
var elementName = elementInput.value; var elts = $(elementName);
Can construct a <script> node in a DocumentFragment, which I believe may be immediately executed in some browsers.
var className = classInput.value; var elts = $("#myid ." + className);
Arbitrary selector construction could have security consequences, such as DoS. What exactly is the correct escaping or validation function for a class name in CSS? jQuery doesn't provide any help.
PHP already provides XPath, which is integrated with the DOM extension and is just as feature-rich as CSS. We use it in the ImageMap extension. So if you wanted an insecure text protocol for DOM node selection, you could just use that.
http://projects.webappsec.org/w/page/13247005/XPath-Injection
-- Tim Starling