steve/go-extractor
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

security: escapeJavaScript is insufficient — XSS risk in SetAttribute #12

New Issue
Closed
opened 2026-02-14 16:06:28 +00:00 by Claude · 2 comments
Claude commented 2026-02-14 16:06:28 +00:00
Collaborator
Copy Link

Parent: #2

Description

In node.go:107-113, escapeJavaScript() only escapes \ and ' characters:

func escapeJavaScript(s string) string {
    return strings.Replace(strings.Replace(s, "\\", "\\\\", -1), "'", "\\'", -1)
}

func (n node) SetAttribute(name, value string) error {
    _, err := n.locator.Evaluate(
        fmt.Sprintf(`(element) => element.setAttribute('%s', '%s');`,
            escapeJavaScript(name), escapeJavaScript(value)), nil)
    return err
}

This is missing escapes for:

  • Newlines (\n, \r) — can break the string literal
  • Null bytes (\0) — can terminate strings early
  • Backticks — could break out of template literals in some contexts
  • </script> sequences — could break out of script tags
  • Double quotes (") — while not used in the current template, defensive escaping is good practice

If user-controlled input flows through SetAttribute, this could allow JavaScript injection in the browser context.

Fix

Replace with a proper JavaScript string escaper:

func escapeJavaScript(s string) string {
    r := strings.NewReplacer(
        "\\", "\\\\",
        "'", "\\'",
        "\"", "\\\"",
        "\n", "\\n",
        "\r", "\\r",
        "\t", "\\t",
        "\x00", "\\x00",
        "</", "<\\/",
    )
    return r.Replace(s)
}

Or better yet, pass name and value as Playwright Evaluate arguments instead of string interpolation:

_, err := n.locator.Evaluate(
    `([name, value]) => element.setAttribute(name, value)`,
    []string{name, value})
**Parent:** #2 ## Description In `node.go:107-113`, `escapeJavaScript()` only escapes `\` and `'` characters: ```go func escapeJavaScript(s string) string { return strings.Replace(strings.Replace(s, "\\", "\\\\", -1), "'", "\\'", -1) } func (n node) SetAttribute(name, value string) error { _, err := n.locator.Evaluate( fmt.Sprintf(`(element) => element.setAttribute('%s', '%s');`, escapeJavaScript(name), escapeJavaScript(value)), nil) return err } ``` This is missing escapes for: - **Newlines** (`\n`, `\r`) — can break the string literal - **Null bytes** (`\0`) — can terminate strings early - **Backticks** — could break out of template literals in some contexts - **`</script>`** sequences — could break out of script tags - **Double quotes** (`"`) — while not used in the current template, defensive escaping is good practice If user-controlled input flows through `SetAttribute`, this could allow JavaScript injection in the browser context. ## Fix Replace with a proper JavaScript string escaper: ```go func escapeJavaScript(s string) string { r := strings.NewReplacer( "\\", "\\\\", "'", "\\'", "\"", "\\\"", "\n", "\\n", "\r", "\\r", "\t", "\\t", "\x00", "\\x00", "</", "<\\/", ) return r.Replace(s) } ``` Or better yet, pass `name` and `value` as Playwright `Evaluate` arguments instead of string interpolation: ```go _, err := n.locator.Evaluate( `([name, value]) => element.setAttribute(name, value)`, []string{name, value}) ```
Claude added the priority/criticalsecuritytype/task labels 2026-02-14 16:07:31 +00:00
Claude commented 2026-02-15 16:11:48 +00:00
Author
Collaborator
Copy Link

Starting work on this. Plan: replace string interpolation in SetAttribute with Playwright's Evaluate argument passing to eliminate the injection surface entirely. Will remove the vulnerable escapeJavaScript function and update tests.

Starting work on this. Plan: replace string interpolation in `SetAttribute` with Playwright's `Evaluate` argument passing to eliminate the injection surface entirely. Will remove the vulnerable `escapeJavaScript` function and update tests.
Claude commented 2026-02-15 16:13:05 +00:00
Author
Collaborator
Copy Link

Work finished. PR: #32

Replaced string interpolation with Playwright's Evaluate argument passing, eliminating the injection surface entirely. Removed the vulnerable escapeJavaScript helper.

Work finished. PR: #32 Replaced string interpolation with Playwright's `Evaluate` argument passing, eliminating the injection surface entirely. Removed the vulnerable `escapeJavaScript` helper.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
Something isn't working correctly
 claude
Trigger — Steve has marked this issue for Claude to work on.
 claude:blocked
Blocked — Waiting on a dependency (another issue/repo).
 claude:review
In Review — PR created, awaiting human review/merge.
 claude:running
Active — A Claude instance is currently working on this.
 documentation
Documentation improvements or additions
 enhancement
New feature or improvement to existing functionality
 performance
Performance optimization or resource usage improvement
 priority/critical
Showstopper — security vulnerability, data loss, or crash in production
 priority/high
Important — significant bug or high-value improvement
 priority/low
Nice to have — minor improvement or cleanup
 priority/medium
Normal — standard improvement or non-critical bug
 security
Security-related issue or vulnerability
 testing
Test coverage, test infrastructure, or test improvements
 type/epic
Parent issue grouping related stories/tasks
 type/refactor
Code restructuring without behavior change
 type/task
Concrete implementation work item
No Label priority/critical security type/task
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
Claude fizi steve
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: steve/go-extractor#12
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?