xsslint
v0.1.6
Published
Find potential XSS vulnerabilities
Downloads
216
Readme
xsslint
Find potential XSS vulnerabilities in your ~~jquery spaghetti~~ beautiful code, e.g.
$('h2').html("Hello <i>" + unsafeVar + "</i>")
By default, xsslint evaluates any jQuery function/method calls that accept
html content ($
, .html
, .append
, etc.) as well as any string
concatenation with html-y literals, but it can be easily customized to
suit your needs.
installation
npm install xsslint
usage
xsslint's API is simple; it accepts a filename and returns an array of warning objects for that file. To lint your whole codebase, you'll want a little bit of glue code like so:
var glob = require("glob");
var XSSLint = require("xsslint");
var files = glob.sync("path/to/files/**/*.js");
files.forEach(function(file) {
var warnings = XSSLint.run(file);
warnings.forEach(function(warning) {
console.error(file + ":" + warning.line + ": possibly XSS-able `" + warning.method + "` call");
});
});
This will print out a bunch of warnings like:
foo.js:123: possibly XSS-able `html()` call
and then?
Given a list of warnings, you'll want to evaluate each one, and then:
If it's an actual problem, fix it.
If it's a false positive, flag it as such, e.g.
Set your own global
XSSLint.configure
to match your conventions. For example, if you prefix jQuery object variables with a$
, and you have an html-escaping function calledhtmlEscape
, you'd want:XSSLint.configure({ "jqueryObject.identifier": [/^\$/], "safeString.function": ["htmlEscape"] });
Set your own file-specific config overrides via comment, e.g.
// xsslint jqueryObject.property jQ // xsslint safeString.property /Html$/
See the default configuration to get an idea what kinds of things can be set, or check out this real world usage.
real world example
Running xsslint on canvas-lms with some custom configuration uncovered 8 cross-site scripting vulnerabilities. It also identified dozens of potentially problematic areas.
license
Copyright (c) 2015 Jon Jensen, released under the MIT license