Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More →

eslint-plugin-risxss

Package Overview

Dependencies

Advanced tools

Install Socket

Detect and block malicious and high-risk dependencies

Install

eslint-plugin-risxss

Various XSS-hunter ESLint rules

2.1.0
latest
Source
npm

Version published: 4 years ago

Maintainers: 4

Created: 6 years ago

Source

🛡RisXSS

Eradicate all XSS flaws of your React or Vue application using a single ESLint rule.

Example

How to install RisXSS ?

First, use your favorite package manager to add eslint-plugin-risxss in your devDependencies, for example with yarn :

yarn add eslint-plugin-risxss --dev

Then, you just have to add the tailored rule for your projet (React or Vue) :
- risxss/catch-potential-xss-react for React project
- risxss/catch-potential-xss-vue for Vue project

To do so, add these lines in your eslint config, for instance if you use .eslintrc.js config file :

If your project uses React/Javascript :

module.exports = {
    env: {
        browser: true,
        es6: true
    },
    extends: 'eslint:recommended',
    parserOptions: {
        ecmaFeatures: {
            jsx: true
        },
        ecmaVersion: 2018,
        sourceType: 'module'
    },
    plugins: ['react', 'risxss'],      //  <<< add risxss in plugins
    rules: {
        'risxss/catch-potential-xss-react': 'error'  //  <<< add this in rules
    }
};

If your project uses React/TypeScript :

module.exports = {
    env: {
        browser: true,
        es6: true
    },
    parser: '@typescript-eslint/parser',
    extends: 'eslint:recommended',
    parserOptions: {
        project: './tsconfig.json',
        ecmaFeatures: {
            jsx: true
        },
        ecmaVersion: 2018,
        sourceType: 'module'
    },
    plugins: ['risxss'],   //  <<< add risxss in plugins
    rules: {
        'risxss/catch-potential-xss-react': 'error'   //  <<< add this in rules
    }
};

If your project uses Vue.js

module.exports = {
    env: {
        browser: true
    },
    extends: ['plugin:vue/essential'],
    parserOptions: {
        parser: 'babel-eslint'
    },
    plugins: ['vue', 'risxss'],   //  <<< add risxss in plugins
    rules: {
        'risxss/catch-potential-xss-vue': 'error'   //  <<< add this in rules
    }
};

Rules

catch-potential-xss-react - Enforce the use of dompurify when using dangerouslySetInnerHtml
catch-potential-xss-vue - Enforce the use of dompurify when using v-html

Configuring the rules

Sometimes you have your own rules to prevent XSS and you don't use DOMPurify.sanitize on your inputs. You can add your own function name to the RisXSS whitelist by passing them as options.

:warning: We still recommend using DOMPurify to sanitize your inputs :warning:

module.exports = {
    env: {
        browser: true
    },
    extends: ['plugin:vue/essential'],
    parserOptions: {
        parser: 'babel-eslint'
    },
    plugins: ['vue', 'risxss'],   //  <<< add risxss in plugins
    rules: {
        'risxss/catch-potential-xss-vue': ['error', {
            trustedLibraries: ['xss'] //  <<< define your anti XSS function here.
        }]
    }
};

// in your file
import { sanitize } from 'xss';

export const DesktopPostCard = ({ post }) => (
  <div dangerouslySetInnerHTML={{ __html: sanitize(post.content) }} />
);

License

MIT

FAQs

What is eslint-plugin-risxss?

Is eslint-plugin-risxss well maintained?

Package last updated on 22 Mar 2021

Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

eslint-plugin-risxss

🛡RisXSS

How to install RisXSS ?

Rules

Configuring the rules

License

Related posts

Threat Actor Exposes Playbook for Exploiting npm to Build Blockchain-Powered Botnets

NVD Backlog Tops 20,000 CVEs Awaiting Analysis as NIST Prepares System Updates