Skip to content

🔒 Fix potential XPath injection in _element_find_by_text#478

Open
Dor-bl wants to merge 2 commits into
serhatbolsu:masterfrom
Dor-bl:security-fix-xpath-injection-13711910271652422795
Open

🔒 Fix potential XPath injection in _element_find_by_text#478
Dor-bl wants to merge 2 commits into
serhatbolsu:masterfrom
Dor-bl:security-fix-xpath-injection-13711910271652422795

Conversation

@Dor-bl

@Dor-bl Dor-bl commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

The input string 'text' was directly concatenated into the XPath query using format(), which could allow a malicious user to manipulate the XPath structure. This is fixed by using the utility function escape_xpath_value() and updating the XPath templates to work with the escaped (and already quoted) values.

PR Title: 🔒 [security fix potential XPath injection in _element_find_by_text]

🎯 What: Fixed potential XPath injection vulnerability in the _element_find_by_text method.
⚠️ Risk: Malicious input could be used to manipulate XPath queries, potentially allowing unauthorized access to elements or data within the application.
🛡️ Solution: Applied utils.escape_xpath_value() to the text parameter before incorporating it into XPath strings. Refactored the XPath templates to remove hardcoded quotes. Added comprehensive unit tests in tests/keywords/test_element_security.py to verify the fix.

Implements

Fixing

The input string 'text' was directly concatenated into the XPath query using format(), which could allow a malicious user to manipulate the XPath structure. This is fixed by using the utility function escape_xpath_value() and updating the XPath templates to work with the escaped (and already quoted) values.

PR Title: 🔒 [security fix potential XPath injection in _element_find_by_text]

🎯 What: Fixed potential XPath injection vulnerability in the `_element_find_by_text` method.
⚠️ Risk: Malicious input could be used to manipulate XPath queries, potentially allowing unauthorized access to elements or data within the application.
🛡️ Solution: Applied `utils.escape_xpath_value()` to the `text` parameter before incorporating it into XPath strings. Refactored the XPath templates to remove hardcoded quotes. Added comprehensive unit tests in `tests/keywords/test_element_security.py` to verify the fix.
@emanlove emanlove self-requested a review July 5, 2026 23:27
@emanlove emanlove self-assigned this Jul 5, 2026
@emanlove emanlove added bug Acknowledge Acknowledge within Release Notes labels Jul 5, 2026
@chsinger

chsinger commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

Thanks for the PR @Dor-bl, nice fix!

I verified all escape branches produce valid XPath and the injection payload no longer escapes the literal.

Could you add a test case for text containing both quote types (e.g. a'b"c)? That exercises the concat(...) branch of escape_xpath_value, which is the trickiest path and currently untested — all four payloads in the new test file only contain double quotes.

@Dor-bl

Dor-bl commented Jul 10, 2026

Copy link
Copy Markdown
Contributor Author

Done! Added a test case with mixed quotes to exercise the branch as requested.

@Dor-bl

Dor-bl commented Jul 11, 2026

Copy link
Copy Markdown
Contributor Author

@chsinger
You don't have merge permissions?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Acknowledge Acknowledge within Release Notes bug

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants