Find potential XSS vulnerabilities in your
jquery spaghetti beautiful
By default, xsslint evaluates any jQuery function/method calls that accept
html content (
.append, etc.) as well as any string
concatenation with html-y literals, but it can be easily customized to
suit your needs.
npm install xsslint
xsslint's API is simple; it accepts a filename and returns an array of warning objects for that file. To lint your whole codebase, you'll want a little bit of glue code like so:
var glob = ;var XSSLint = ;var files = glob;files;
This will print out a bunch of warnings like:
foo.js:123: possibly XSS-able `html()` call
Given a list of warnings, you'll want to evaluate each one, and then:
If it's an actual problem, fix it.
If it's a false positive, flag it as such, e.g.
Set your own global
XSSLint.configureto match your conventions. For example, if you prefix jQuery object variables with a
$, and you have an html-escaping function called
htmlEscape, you'd want:XSSLint;
Set your own file-specific config overrides via comment, e.g.// xsslint jqueryObject.property jQ// xsslint safeString.property /Html$/
real world example
Copyright (c) 2015 Jon Jensen, released under the MIT license