xsslint

xsslint

Find potential XSS vulnerabilities in your jquery spaghetti beautiful code, e.g.

$('h2').html("Hello <i>" + unsafeVar + "</i>")

installation

npm install xsslint

usage

var glob = require("glob");
var XSSLint = require("xsslint");
var files = glob.sync("path/to/files/**/*.js");
files.forEach(function(file) {
  var warnings = XSSLint.run(file);
  warnings.forEach(function(warning) {
    console.error(file + ":" + warning.line + ": possibly XSS-able `" + warning.method + "` call");
  });
});

This will print out a bunch of warnings like:

foo.js:123: possibly XSS-able `html()` call

Evaluate each one, and either:

1. Fix it, if it's an actual problem

2. If it's a false positive, flag it as such, i.e.

   • Set your own global XSSLint.configure to match your conventions. For example, if you prefix JQuery object variables with a $, and you have an html-escaping function called htmlEscape, you'd want:

      XSSLint.configure({
        "jqueryObject.identifier": /^\$/,
        "safeString.function":     "htmlEscape"
     });
     

   • Set your own file-specific config overrides via comment, e.g.

      // xsslint jqueryObject.property jQ
      // xsslint safeString.property /Html$/
     

   See the default configuration to get an idea what kinds of things can be set.