On 03/01/11 20:48, Philip Tzou wrote:
According to its website, "phpQuery is a
server-side, chainable, CSS3
selector driven Document Object Model (DOM) API based on jQuery JavaScript
Library."
I feel it will be very convenient if we introduce such jquery-like tools
into MediaWiki since we do have the need to parse HTML text. For example, I
can replace the awful regex part of LanguageConverter::autoConvert with
phpQuery.
So I want to ask is it possible to introduce phpQuery into MediaWiki?
CSS selectors are the worst part of jQuery, I wish they weren't in it.
Sizzle is slow and bulky -- necessarily so considering what it does,
but a more sensible function-based API could have exposed a rich
feature set to users without introducing nearly so much overhead.
The overloaded $() function encourages sloppy escaping practices,
leading to bugs and possibly even XSS vulnerabilities:
var elementName = elementInput.value;
var elts = $(elementName);
Can construct a <script> node in a DocumentFragment, which I believe
may be immediately executed in some browsers.
var className = classInput.value;
var elts = $("#myid ." + className);
Arbitrary selector construction could have security consequences, such
as DoS. What exactly is the correct escaping or validation function
for a class name in CSS? jQuery doesn't provide any help.
PHP already provides XPath, which is integrated with the DOM extension
and is just as feature-rich as CSS. We use it in the ImageMap
extension. So if you wanted an insecure text protocol for DOM node
selection, you could just use that.
<http://projects.webappsec.org/w/page/13247005/XPath-Injection>
-- Tim Starling