Fix XPath injection in search_item_ctrl_f by albertvillanova · Pull Request #1768 · huggingface/smolagents (original) (raw)

Fix XPath injection in search_item_ctrl_f

This pull request hardens the search_item_ctrl_f function against XPath injection by introducing a helper _escape_xpath_string to escape string literals.

While the practical impact is limited (the XPath runs only on attacker-controlled DOM content), it is still best practice to properly escape literals to prevent brittle behavior and reduce risk if the code is reused elsewhere.