Possibly XSS vulnerability

A php based DOM parser.

Brought to you by: john_schlick, logmanoriginal, me578022

#195 Possibly XSS vulnerability

Status: closed

Owner: LogMANOriginal

Labels: None

Updated: 2022-04-05

Created: 2022-01-28

Creator: ulikhan

Private: No

Hi,

There is a potential XSS vulnerability in the library related to node attributes.

Example HTML:
hello

After DOM manipulation:
hello

Expected output:
hello

PHP code for verification:

hello'; $dom = str_get_html($html); $a = $dom->find('a', 0); $a->setAttribute('title', 'hello onclick=alert(1)'); echo $dom->save(); ?>

Discussion

ulikhan - 2022-01-28

Sorry, the editor modified my input, please check the attached file.

explanation.txt

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

LogMANOriginal - 2022-04-05

labels: security -->

status: open --> closed

assigned_to: LogMANOriginal
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

LogMANOriginal - 2022-04-05

Thanks for reporting this issue. While I agree that this is a bug in the attribute handler, it is not a XSS vulnerability, at least not for this project.

This issue is fixed in [a706de9bcb3b74ad10e04cc0b2de0d1b35007ab4]

Related

Commit: [a706de]

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Log in to post a comment.