Merge pull request 'Fix XSS vulnerability in SetAttribute (#12)' (#32) from fix/escape-javascript-xss into main

node.go

@@ -2,7 +2,6 @@ package extractor
 
 import (
 	"fmt"
-	"strings"
 
 	"github.com/playwright-community/playwright-go"
 )
@@ -104,11 +103,10 @@ func (n node) SetHidden(val bool) error {
 	return nil
 }
 
-func escapeJavaScript(s string) string {
-	return strings.Replace(strings.Replace(s, "\\", "\\\\", -1), "'", "\\'", -1)
-}
-
 func (n node) SetAttribute(name, value string) error {
-	_, err := n.locator.Evaluate(fmt.Sprintf(`(element) => element.setAttribute('%s', '%s');`, escapeJavaScript(name), escapeJavaScript(value)), nil)
+	_, err := n.locator.Evaluate(
+		`(element, args) => element.setAttribute(args.name, args.value)`,
+		map[string]string{"name": name, "value": value},
+	)
 	return err
 }

node_test.go

@@ -1,23 +1 @@
 package extractor
-
-import "testing"
-
-func TestEscapeJavaScript(t *testing.T) {
-	tests := []struct {
-		input string
-		want  string
-	}{
-		{"hello", "hello"},
-		{"it's", "it\\'s"},
-		{`back\slash`, `back\\slash`},
-		{`both\'`, `both\\\'`},
-		{"", ""},
-	}
-
-	for _, tt := range tests {
-		got := escapeJavaScript(tt.input)
-		if got != tt.want {
-			t.Errorf("escapeJavaScript(%q) = %q, want %q", tt.input, got, tt.want)
-		}
-	}
-}