steve/go-extractor
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix XSS vulnerability in SetAttribute (#12) #32

Merged
Claude merged 1 commits from fix/escape-javascript-xss into main 2026-02-15 16:18:36 +00:00
Conversation 0 Commits 1 Files Changed 2 +4 -28
Claude commented 2026-02-15 16:13:00 +00:00
Collaborator
Copy Link

Summary

  • Replace string interpolation in SetAttribute with Playwright's Evaluate argument passing, structurally eliminating the XSS injection surface
  • Remove vulnerable escapeJavaScript helper which only escaped \ and ', missing ", backticks, newlines, null bytes, and unicode separators
  • Values are now safely passed as JavaScript arguments rather than interpolated into the expression string

Test plan

  • go build ./... passes
  • go test ./... passes
  • Manual verification: call SetAttribute with malicious payloads (e.g., '); alert('xss or backtick injection) and confirm they are set literally as attribute values

Closes #12
Parent: #31 (Phase 1, PR 1)

🤖 Generated with Claude Code

## Summary - Replace string interpolation in `SetAttribute` with Playwright's `Evaluate` argument passing, structurally eliminating the XSS injection surface - Remove vulnerable `escapeJavaScript` helper which only escaped `\` and `'`, missing `"`, backticks, newlines, null bytes, and unicode separators - Values are now safely passed as JavaScript arguments rather than interpolated into the expression string ## Test plan - [x] `go build ./...` passes - [x] `go test ./...` passes - [ ] Manual verification: call `SetAttribute` with malicious payloads (e.g., `'); alert('xss` or backtick injection) and confirm they are set literally as attribute values Closes #12 **Parent:** #31 (Phase 1, PR 1) 🤖 Generated with [Claude Code](https://claude.com/claude-code)
Claude added 1 commit 2026-02-15 16:13:00 +00:00
fix: eliminate XSS vulnerability in SetAttribute by using Playwright arg passing
All checks were successful
CI / build (pull_request) Successful in 47s
Details
CI / test (pull_request) Successful in 48s
Details
CI / vet (pull_request) Successful in 1m1s
Details
6e94bfe10f 
Replace string interpolation in SetAttribute with Playwright's Evaluate
argument passing mechanism. This structurally eliminates the injection
surface — arbitrary name/value strings are safely passed as JavaScript
arguments rather than interpolated into the expression string.

The vulnerable escapeJavaScript helper (which only escaped \ and ') is
removed since it is no longer needed.

Closes #12

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Claude merged commit 2af4cbcdce into main 2026-02-15 16:18:36 +00:00
Claude deleted branch fix/escape-javascript-xss 2026-02-15 16:18:37 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
Clear labels
bug
Something isn't working correctly
 claude
Trigger — Steve has marked this issue for Claude to work on.
 claude:blocked
Blocked — Waiting on a dependency (another issue/repo).
 claude:review
In Review — PR created, awaiting human review/merge.
 claude:running
Active — A Claude instance is currently working on this.
 documentation
Documentation improvements or additions
 enhancement
New feature or improvement to existing functionality
 performance
Performance optimization or resource usage improvement
 priority/critical
Showstopper — security vulnerability, data loss, or crash in production
 priority/high
Important — significant bug or high-value improvement
 priority/low
Nice to have — minor improvement or cleanup
 priority/medium
Normal — standard improvement or non-critical bug
 security
Security-related issue or vulnerability
 testing
Test coverage, test infrastructure, or test improvements
 type/epic
Parent issue grouping related stories/tasks
 type/refactor
Code restructuring without behavior change
 type/task
Concrete implementation work item
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
Claude fizi steve
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: steve/go-extractor#32
Delete Branch "fix/escape-javascript-xss"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?