xsslint

    0.1.6 • Public • Published

    xsslint

    Find potential XSS vulnerabilities in your jquery spaghetti beautiful code, e.g.

    $('h2').html("Hello <i>" + unsafeVar + "</i>")

    By default, xsslint evaluates any jQuery function/method calls that accept html content ($, .html, .append, etc.) as well as any string concatenation with html-y literals, but it can be easily customized to suit your needs.

    installation

    npm install xsslint

    usage

    xsslint's API is simple; it accepts a filename and returns an array of warning objects for that file. To lint your whole codebase, you'll want a little bit of glue code like so:

    var glob = require("glob");
    var XSSLint = require("xsslint");
    var files = glob.sync("path/to/files/**/*.js");
    files.forEach(function(file) {
      var warnings = XSSLint.run(file);
      warnings.forEach(function(warning) {
        console.error(file + ":" + warning.line + ": possibly XSS-able `" + warning.method + "` call");
      });
    });

    This will print out a bunch of warnings like:

    foo.js:123: possibly XSS-able `html()` call
    

    and then?

    Given a list of warnings, you'll want to evaluate each one, and then:

    1. If it's an actual problem, fix it.

    2. If it's a false positive, flag it as such, e.g.

      • Set your own global XSSLint.configure to match your conventions. For example, if you prefix jQuery object variables with a $, and you have an html-escaping function called htmlEscape, you'd want:

         XSSLint.configure({
           "jqueryObject.identifier": [/^\$/],
           "safeString.function":     ["htmlEscape"]
        });
      • Set your own file-specific config overrides via comment, e.g.

         // xsslint jqueryObject.property jQ
         // xsslint safeString.property /Html$/

      See the default configuration to get an idea what kinds of things can be set, or check out this real world usage.

    real world example

    Running xsslint on canvas-lms with some custom configuration uncovered 8 cross-site scripting vulnerabilities. It also identified dozens of potentially problematic areas.

    license

    Copyright (c) 2015 Jon Jensen, released under the MIT license

    Keywords

    none

    Install

    npm i xsslint

    DownloadsWeekly Downloads

    1

    Version

    0.1.6

    License

    MIT

    Unpacked Size

    21.2 kB

    Total Files

    8

    Last publish

    Collaborators

    • jenseng