fix: eliminate XSS vulnerability in SetAttribute by using Playwright arg passing

Replace string interpolation in SetAttribute with Playwright's Evaluate argument passing mechanism. This structurally eliminates the injection surface — arbitrary name/value strings are safely passed as JavaScript arguments rather than interpolated into the expression string. The vulnerable escapeJavaScript helper (which only escaped \ and ') is removed since it is no longer needed. Closes #12 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-15 16:12:46 +00:00
parent 49f294e884
commit 6e94bfe10f
2 changed files with 4 additions and 28 deletions
--- a/node_test.go
+++ b/node_test.go
@@ -1,23 +1 @@
 package extractor
-
-import "testing"
-
-func TestEscapeJavaScript(t *testing.T) {
-	tests := []struct {
-		input string
-		want  string
-	}{
-		{"hello", "hello"},
-		{"it's", "it\\'s"},
-		{`back\slash`, `back\\slash`},
-		{`both\'`, `both\\\'`},
-		{"", ""},
-	}
-
-	for _, tt := range tests {
-		got := escapeJavaScript(tt.input)
-		if got != tt.want {
-			t.Errorf("escapeJavaScript(%q) = %q, want %q", tt.input, got, tt.want)
-		}
-	}
-}