Steve Dudenhoeffer 6e94bfe10f fix: eliminate XSS vulnerability in SetAttribute by using Playwright arg passing ...

Replace string interpolation in SetAttribute with Playwright's Evaluate
argument passing mechanism. This structurally eliminates the injection
surface — arbitrary name/value strings are safely passed as JavaScript
arguments rather than interpolated into the expression string.

The vulnerable escapeJavaScript helper (which only escaped \ and ') is
removed since it is no longer needed.

Closes #12

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-02-15 16:12:46 +00:00

2.2 KiB

Raw Blame History

View Raw