According to its website, "phpQuery is a server-side, chainable, CSS3 selector driven Document Object Model (DOM) API based on jQuery JavaScript Library."
I feel it will be very convenient if we introduce such jquery-like tools into MediaWiki since we do have the need to parse HTML text. For example, I can replace the awful regex part of LanguageConverter::autoConvert with phpQuery.
So I want to ask is it possible to introduce phpQuery into MediaWiki?
sincerely,
Philip Tzou
On 03/01/11 20:48, Philip Tzou wrote:
According to its website, "phpQuery is a server-side, chainable, CSS3 selector driven Document Object Model (DOM) API based on jQuery JavaScript Library."
I feel it will be very convenient if we introduce such jquery-like tools into MediaWiki since we do have the need to parse HTML text. For example, I can replace the awful regex part of LanguageConverter::autoConvert with phpQuery.
So I want to ask is it possible to introduce phpQuery into MediaWiki?
CSS selectors are the worst part of jQuery, I wish they weren't in it. Sizzle is slow and bulky -- necessarily so considering what it does, but a more sensible function-based API could have exposed a rich feature set to users without introducing nearly so much overhead.
The overloaded $() function encourages sloppy escaping practices, leading to bugs and possibly even XSS vulnerabilities:
var elementName = elementInput.value; var elts = $(elementName);
Can construct a <script> node in a DocumentFragment, which I believe may be immediately executed in some browsers.
var className = classInput.value; var elts = $("#myid ." + className);
Arbitrary selector construction could have security consequences, such as DoS. What exactly is the correct escaping or validation function for a class name in CSS? jQuery doesn't provide any help.
PHP already provides XPath, which is integrated with the DOM extension and is just as feature-rich as CSS. We use it in the ImageMap extension. So if you wanted an insecure text protocol for DOM node selection, you could just use that.
http://projects.webappsec.org/w/page/13247005/XPath-Injection
-- Tim Starling
On Wed, Jan 5, 2011 at 3:04 AM, Tim Starling tstarling@wikimedia.org wrote:
CSS selectors are the worst part of jQuery, I wish they weren't in it. Sizzle is slow and bulky -- necessarily so considering what it does, but a more sensible function-based API could have exposed a rich feature set to users without introducing nearly so much overhead.
In recent browsers (including IE8), you should be able to implement selectors very efficiently with querySelector() and querySelectorAll(). I should hope jQuery does this.
PHP already provides XPath, which is integrated with the DOM extension and is just as feature-rich as CSS. We use it in the ImageMap extension. So if you wanted an insecure text protocol for DOM node selection, you could just use that.
Pretty much every web developer already knows selectors, though, while almost nobody uses XPath.
wikitech-l@lists.wikimedia.org