Security fix for missing encoding in `CssSelector`

High

GrahamCampbell published GHSA-3432-fmrf-7vmh

May 28, 2025

Package

chrome-php/chrome (Composer)

Affected versions

<1.14.0

Patched versions

1.14.0

Description

Impact

CSS Selector expressions are not properly encoded, which can lead to XSS (cross-site scripting) vulnerabilities.

Patches

This is patched in v1.14.0.

Workarounds

Users can apply encoding manually to their selectors, if they are unable to upgrade.

References

#691