Chrome PHP Cross-Site Scripting Vulnerability Due to Improper CSS Selector Encoding

A cross-site scripting vulnerability has been identified in Chrome PHP versions prior to 1.14.0. The issue arises because CSS Selector expressions are not properly encoded, allowing for potential JavaScript injection. This vulnerability can be exploited by manipulating selector inputs in a way that introduces unescaped characters, leading to the execution of malicious scripts.

Impact

The vulnerability allows for cross-site scripting attacks, where an attacker can inject and execute malicious scripts in the context of the user's browser.

Reproduction

To reproduce this vulnerability, use a version of Chrome PHP prior to 1.14.0. Pass a CSS selector that includes unescaped characters, such as 'input[type="password"]', to the 'find' method of the 'Mouse' input class. The improper encoding will cause a JavaScript syntax error, as the selector will not be correctly interpreted. This can be verified by observing the resulting 'ElementNotFoundException' error, which indicates that the injected JavaScript was not executed as intended.

Remediation

Users can upgrade to Chrome PHP version 1.14.0 or later, where this vulnerability has been patched. Alternatively, selectors can be manually encoded before use, applying a JSON encoding to ensure proper formatting.