[repo-monitor] High: XPath injection via unsanitized id attribute value

[Liohtml]

Summary

HTML element id attribute values are embedded directly into XPath expressions using single-quote delimiters without escaping, enabling XPath injection from page content.

Location

• File: src/parser/selector_generation.rs
• Line(s): 50

Severity

High

Details

parts.push(format!("{}[@id='{}']", tag, id.as_str()));

An HTML element with id="foo' or '1'='1" produces the XPath div[@id='foo' or '1'='1'], which is valid but semantically wrong and matches unintended nodes. Adversarial page content could cause incorrect element identification.

Suggested Fix

Escape single quotes in the ID value before embedding:

let escaped_id = id.as_str().replace('\'', "\\'");
parts.push(format!("{}[@id='{}']" , tag, escaped_id));

---

Automated finding by repo-monitor

[Liohtml]

Analysis

Confirmed. src/parser/selector_generation.rs:50:

format!("{}[@id='{}']", tag, id.as_str())

An id attribute containing ' (e.g., <div id="o'reilly">) would produce: div[@id='o'reilly'] — syntactically invalid XPath that either errors or matches incorrectly.

Exploitability assessment: This is XPath generation, not XPath execution in a security-sensitive context. The generated XPath is stored in SqliteStorage for adaptive scraping (remembering element positions). It's not a user-input-to-query injection in the traditional sense — it's a developer using the CSS selector generator on a page with an unusual ID attribute.

In practice, HTML IDs with apostrophes are rare (they're technically valid HTML but unusual). The bug would manifest as a failed SqliteStorage lookup for elements with such IDs — a correctness issue, not a security issue.

Fix:

// src/parser/selector_generation.rs
let escaped_id = id.as_str().replace('\'', "'");
format!("{}[@id='{}']", tag, escaped_id)

Or use double quotes in the XPath:

let escaped_id = id.as_str().replace('"', """);
format!("{}[@id=\"{}\"]", tag, escaped_id)

My honest take: Fix it because it's a correctness bug, not because it's a security issue. The priority is lower than #1 (allowed_domains bypass), #3 (robots.txt hang), and #9 (checkpoint data loss).

Effort: 5 min.