Fix critical bugs and XSS vulnerabilities in PulsarWebDriver click functions

[Copilot]

Problem

Review identified 6 critical/high severity issues in PulsarWebDriver.click series functions:

• clickMatches() called non-existent JavaScript function
• XSS vulnerabilities via unescaped user input in pattern and attrName parameters
• Count parameter defined but completely ignored
• No error handling for invalid regex patterns

Changes

Missing Implementation

Added __pulsar_utils__.clickMatches() in JavaScript - function was referenced but never implemented.

__pulsar_utils__.clickMatches = function(selector, attrName, pattern, count = 1) {
    try {
        let regex = new RegExp(pattern)
        let clicked = 0
        for (let ele of document.querySelectorAll(selector)) {
            if (clicked >= count) break
            if (ele.getAttribute(attrName)?.match(regex)) {
                ele.scrollIntoView()
                ele.click()
                clicked++
            }
        }
        return clicked
    } catch (e) {
        console.error(`Error in clickMatches: selector=${selector}, attrName=${attrName}, pattern=${pattern}`, e)
        return 0
    }
}

Security Fixes

Escaped user input in AbstractWebDriver.kt - prevents JavaScript injection:

// Before: XSS vulnerability
evaluate("__pulsar_utils__.clickTextMatches('$safeSelector', '$pattern')")

// After: properly escaped
val safePattern = Strings.escapeJsString(pattern)
evaluate("__pulsar_utils__.clickTextMatches('$safeSelector', '$safePattern', $count)")

Applied to:

• clickTextMatches() - escaped pattern
• clickMatches() - escaped attrName and pattern

Functional Fixes

• Count parameter: Now passed to JavaScript and enforced (previously clicked all matches)
• Error handling: Wrapped regex operations in try-catch to prevent crashes on invalid patterns
• Logging: Enhanced error messages with full context (selector, pattern, attrName)

Documentation

• Fixed JSDoc copy-paste errors in clickNthAnchor()
• Added proper parameter descriptions and return types

Test Coverage

Added PulsarWebDriverClickTests with 9 test cases covering:

• Count enforcement
• Pattern matching (basic, special chars, multiple matches)
• Attribute matching
• XSS prevention verification

Security Scan

CodeQL: 0 alerts

Additional Findings

Not fixed (may be intentional design):

• hover() calls bringToFront(), click() does not
• click() documentation says "focuses" but implementation only scrolls into view

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.