xsslint
Find potential XSS vulnerabilities
Last updated 3 months ago by jenseng .
MIT · Repository · Bugs · Original npm · Tarball · package.json
$ cnpm install xsslint 
SYNC missed versions from official npm registry.

xsslint

Find potential XSS vulnerabilities in your jquery spaghetti beautiful code, e.g.

$('h2').html("Hello <i>" + unsafeVar + "</i>")

By default, xsslint evaluates any jQuery function/method calls that accept html content ($, .html, .append, etc.) as well as any string concatenation with html-y literals, but it can be easily customized to suit your needs.

installation

npm install xsslint

usage

xsslint's API is simple; it accepts a filename and returns an array of warning objects for that file. To lint your whole codebase, you'll want a little bit of glue code like so:

var glob = require("glob");
var XSSLint = require("xsslint");
var files = glob.sync("path/to/files/**/*.js");
files.forEach(function(file) {
  var warnings = XSSLint.run(file);
  warnings.forEach(function(warning) {
    console.error(file + ":" + warning.line + ": possibly XSS-able `" + warning.method + "` call");
  });
});

This will print out a bunch of warnings like:

foo.js:123: possibly XSS-able `html()` call

and then?

Given a list of warnings, you'll want to evaluate each one, and then:

  1. If it's an actual problem, fix it.

  2. If it's a false positive, flag it as such, e.g.

    • Set your own global XSSLint.configure to match your conventions. For example, if you prefix jQuery object variables with a $, and you have an html-escaping function called htmlEscape, you'd want:

       XSSLint.configure({
         "jqueryObject.identifier": [/^\$/],
         "safeString.function":     ["htmlEscape"]
      });
      
    • Set your own file-specific config overrides via comment, e.g.

       // xsslint jqueryObject.property jQ
       // xsslint safeString.property /Html$/
      

    See the default configuration to get an idea what kinds of things can be set, or check out this real world usage.

real world example

Running xsslint on canvas-lms with some custom configuration uncovered 8 cross-site scripting vulnerabilities. It also identified dozens of potentially problematic areas.

license

Copyright (c) 2015 Jon Jensen, released under the MIT license

Current Tags

  • 0.1.6                                ...           latest (3 months ago)

9 Versions

  • 0.1.6                                ...           3 months ago
  • 0.1.5                                ...           9 months ago
  • 0.1.4                                ...           3 years ago
  • 0.1.3                                ...           3 years ago
  • 0.1.2                                ...           4 years ago
  • 0.1.1                                ...           4 years ago
  • 0.1.0                                ...           5 years ago
  • 0.0.2                                ...           5 years ago
  • 0.0.1                                ...           5 years ago
Maintainers (1)
Downloads
Today 0
This Week 0
This Month 0
Last Day 0
Last Week 0
Last Month 11
Dependencies (2)
Dev Dependencies (2)
Dependents (0)
None

Copyright 2014 - 2017 © taobao.org |