Add ARIA element detection for client spider crawling#296
Open
cx-daniel-gabay wants to merge 4 commits intozaproxy:mainfrom
Open
Add ARIA element detection for client spider crawling#296cx-daniel-gabay wants to merge 4 commits intozaproxy:mainfrom
cx-daniel-gabay wants to merge 4 commits intozaproxy:mainfrom
Conversation
Member
|
Great job! No new security vulnerabilities introduced in this pull requestUse @Checkmarx to interact with Checkmarx PR Assistant. |
Member
|
This needs DCO and lint fix. |
Member
|
It looks good overall. The lint issues seem minor, you can likely To address the DCO requirement you'll need to sign-off the commit(s): |
This change enables the browser extension to detect and report elements with interactive ARIA roles (e.g., role="button", role="link") so the client spider can crawl pages that use non-standard interactive elements. Key changes: - Add INTERACTIVE_ARIA_ROLES array and hasInteractiveAriaRole() helper - Detect elements with interactive ARIA roles (button, link, checkbox, etc.) - Capture ariaIdentification for elements lacking an ID attribute - Use aria-label as text for better diagnostics - Add unit and integration tests with ariaElements.html test page - Update toShortString() to filter null ariaIdentification for consistency The ariaIdentification field is only populated for elements without an ID, providing alternative identification attributes for the client spider to locate elements during crawling. Signed-off-by: cx-danielg <115538361+cx-daniel-gabay@users.noreply.github.com>
- Add separate 'role' field to ReportedElement for clickability checks - Keep ariaIdentification for aria-* attributes only (no role duplication) - Remove null initialization from role/ariaIdentification fields - Simplify JSON serialization (undefined values auto-excluded) - Update tests to reflect new data structure Signed-off-by: cx-danielg <115538361+cx-daniel-gabay@users.noreply.github.com>
cx-daniel-gabay
force-pushed
the
feature/aria-element-detection
branch
from
c7b6c68 to
d9593ac
Compare
Author
|
Fixed, thanks :) |
4 tasks
thc202
reviewed
Feb 9, 2026
source/types/ReportedModel.ts
Outdated
| }); | ||
|
|
||
| if (Object.keys(ariaAttrs).length > 0) { | ||
| this.ariaIdentification = ariaAttrs; |
Member
There was a problem hiding this comment.
I'd have expected a similar check to
to ensure that we can uniquely identify the element just based on the aria attributes, otherwise we might end up interacting with other element.
Member
There was a problem hiding this comment.
There should be elements without ID and duplicated aria attributes.
Member
There was a problem hiding this comment.
Going forward it does not worth adding tests here, jsdom is not reliable for our purposes and we already have integration tests in place for the browsers we target.
Member
|
The changelog needs update. |
Only report ariaIdentification when the aria attributes can uniquely identify the element in the DOM. This prevents the spider from potentially interacting with the wrong element when multiple elements share the same aria attributes. Signed-off-by: cx-danielg <115538361+cx-daniel-gabay@users.noreply.github.com> Co-authored-by: Cursor <cursoragent@cursor.com>
cx-daniel-gabay
force-pushed
the
feature/aria-element-detection
branch
from
d5b9712 to
1123472
Compare
- Include reporting of elements with specific role attributes - Add ARIA attributes for uniquely identifiable elements without an id Signed-off-by: cx-daniel-gabay <115538361+cx-daniel-gabay@users.noreply.github.com> Co-authored-by: Cursor <cursoragent@cursor.com>
cx-daniel-gabay
force-pushed
the
feature/aria-element-detection
branch
from
1123472 to
d923fe3
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR enables the browser extension to detect and report elements with interactive ARIA roles so the client spider can crawl pages that use non-standard interactive elements (e.g.,
<div role="button">).Changes
New Features
button,link,checkbox,radio,switch,tab,menuitem, etc.)idattribute, providing alternative identification for the client spideraria-labelattribute value as element text for better diagnosticsImplementation Details
INTERACTIVE_ARIA_ROLESarray with 17 interactive role typeshasInteractiveAriaRole()helper function for cleaner role checkingreportAriaElements()to query elements with[role]and filter by interactive rolesariaIdentificationis only populated when element has noid(to minimize data payload)toShortString()to filter nullariaIdentificationfor consistencyFiles Changed
source/ContentScript/index.ts- ARIA element detection logicsource/types/ReportedModel.ts- ariaIdentification field and capture logictest/ContentScript/unitTests.test.ts- Unit tests for ARIA detectiontest/ContentScript/integrationTests.test.ts- Integration teststest/ContentScript/utils.ts- Test helper updatestest/ContentScript/webpages/ariaElements.html- Test page with ARIA elementsTest Plan
Related
This change works together with corresponding updates to the ZAP client add-on (zap-extensions) to handle the
ariaIdentificationdata and use it for element identification during crawling.