Skip to content

Add ARIA element detection for client spider crawling#296

Open
cx-daniel-gabay wants to merge 4 commits intozaproxy:mainfrom
cx-daniel-gabay:feature/aria-element-detection
Open

Add ARIA element detection for client spider crawling#296
cx-daniel-gabay wants to merge 4 commits intozaproxy:mainfrom
cx-daniel-gabay:feature/aria-element-detection

Conversation

@cx-daniel-gabay
Copy link

@cx-daniel-gabay cx-daniel-gabay commented Feb 4, 2026

Summary

This PR enables the browser extension to detect and report elements with interactive ARIA roles so the client spider can crawl pages that use non-standard interactive elements (e.g., <div role="button">).

Changes

New Features

  • ARIA Role Detection: Detect elements with interactive ARIA roles (button, link, checkbox, radio, switch, tab, menuitem, etc.)
  • ariaIdentification Field: Capture ARIA attributes for elements lacking an id attribute, providing alternative identification for the client spider
  • aria-label as text: Use aria-label attribute value as element text for better diagnostics

Implementation Details

  • Added INTERACTIVE_ARIA_ROLES array with 17 interactive role types
  • Added hasInteractiveAriaRole() helper function for cleaner role checking
  • Modified reportAriaElements() to query elements with [role] and filter by interactive roles
  • ariaIdentification is only populated when element has no id (to minimize data payload)
  • Updated toShortString() to filter null ariaIdentification for consistency

Files Changed

  • source/ContentScript/index.ts - ARIA element detection logic
  • source/types/ReportedModel.ts - ariaIdentification field and capture logic
  • test/ContentScript/unitTests.test.ts - Unit tests for ARIA detection
  • test/ContentScript/integrationTests.test.ts - Integration tests
  • test/ContentScript/utils.ts - Test helper updates
  • test/ContentScript/webpages/ariaElements.html - Test page with ARIA elements

Test Plan

  • Unit tests pass (23 tests)
  • Integration tests include ARIA element scenarios
  • Manual testing with ZAP client spider on pages with ARIA elements

Related

This change works together with corresponding updates to the ZAP client add-on (zap-extensions) to handle the ariaIdentification data and use it for element identification during crawling.

@psiinon
Copy link
Member

psiinon commented Feb 4, 2026

Logo
Checkmarx One – Scan Summary & Details2503bd81-a4dc-45f6-aee3-8bd2d53c7208

Great job! No new security vulnerabilities introduced in this pull request


Use @Checkmarx to interact with Checkmarx PR Assistant.
Examples:
@Checkmarx how are you able to help me?
@Checkmarx rescan this PR

@thc202
Copy link
Member

thc202 commented Feb 4, 2026

This needs DCO and lint fix.

@kingthorin
Copy link
Member

It looks good overall. The lint issues seem minor, you can likely --fix them.


To address the DCO requirement you'll need to sign-off the commit(s):

This change enables the browser extension to detect and report elements
with interactive ARIA roles (e.g., role="button", role="link") so the
client spider can crawl pages that use non-standard interactive elements.

Key changes:
- Add INTERACTIVE_ARIA_ROLES array and hasInteractiveAriaRole() helper
- Detect elements with interactive ARIA roles (button, link, checkbox, etc.)
- Capture ariaIdentification for elements lacking an ID attribute
- Use aria-label as text for better diagnostics
- Add unit and integration tests with ariaElements.html test page
- Update toShortString() to filter null ariaIdentification for consistency

The ariaIdentification field is only populated for elements without an ID,
providing alternative identification attributes for the client spider to
locate elements during crawling.

Signed-off-by: cx-danielg <115538361+cx-daniel-gabay@users.noreply.github.com>
- Add separate 'role' field to ReportedElement for clickability checks
- Keep ariaIdentification for aria-* attributes only (no role duplication)
- Remove null initialization from role/ariaIdentification fields
- Simplify JSON serialization (undefined values auto-excluded)
- Update tests to reflect new data structure

Signed-off-by: cx-danielg <115538361+cx-daniel-gabay@users.noreply.github.com>
@cx-daniel-gabay cx-daniel-gabay force-pushed the feature/aria-element-detection branch from c7b6c68 to d9593ac Compare February 5, 2026 12:46
@cx-daniel-gabay
Copy link
Author

Fixed, thanks :)

});

if (Object.keys(ariaAttrs).length > 0) {
this.ariaIdentification = ariaAttrs;
Copy link
Member

@thc202 thc202 Feb 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd have expected a similar check to

function isElementPathUnique(path: string, documentElement: Document): boolean {
to ensure that we can uniquely identify the element just based on the aria attributes, otherwise we might end up interacting with other element.

See also zaproxy/zap-extensions#7116 (comment)

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

@thc202
Copy link
Member

thc202 commented Feb 9, 2026

The changelog needs update.

Only report ariaIdentification when the aria attributes can uniquely
identify the element in the DOM. This prevents the spider from
potentially interacting with the wrong element when multiple elements
share the same aria attributes.

Signed-off-by: cx-danielg <115538361+cx-daniel-gabay@users.noreply.github.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
@cx-daniel-gabay cx-daniel-gabay force-pushed the feature/aria-element-detection branch from d5b9712 to 1123472 Compare February 16, 2026 15:07
- Include reporting of elements with specific role attributes
- Add ARIA attributes for uniquely identifiable elements without an id

Signed-off-by: cx-daniel-gabay <115538361+cx-daniel-gabay@users.noreply.github.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
@cx-daniel-gabay cx-daniel-gabay force-pushed the feature/aria-element-detection branch from 1123472 to d923fe3 Compare February 16, 2026 15:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants