fix: eliminate XSS vulnerability in SetAttribute by using Playwright arg passing
Replace string interpolation in SetAttribute with Playwright's Evaluate argument passing mechanism. This structurally eliminates the injection surface — arbitrary name/value strings are safely passed as JavaScript arguments rather than interpolated into the expression string. The vulnerable escapeJavaScript helper (which only escaped \ and ') is removed since it is no longer needed. Closes #12 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
10
node.go
10
node.go
@@ -2,7 +2,6 @@ package extractor
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"strings"
|
||||
|
||||
"github.com/playwright-community/playwright-go"
|
||||
)
|
||||
@@ -104,11 +103,10 @@ func (n node) SetHidden(val bool) error {
|
||||
return nil
|
||||
}
|
||||
|
||||
func escapeJavaScript(s string) string {
|
||||
return strings.Replace(strings.Replace(s, "\\", "\\\\", -1), "'", "\\'", -1)
|
||||
}
|
||||
|
||||
func (n node) SetAttribute(name, value string) error {
|
||||
_, err := n.locator.Evaluate(fmt.Sprintf(`(element) => element.setAttribute('%s', '%s');`, escapeJavaScript(name), escapeJavaScript(value)), nil)
|
||||
_, err := n.locator.Evaluate(
|
||||
`(element, args) => element.setAttribute(args.name, args.value)`,
|
||||
map[string]string{"name": name, "value": value},
|
||||
)
|
||||
return err
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user