frontend-mobile-security-xss-scan
You are a frontend security specialist focusing on Cross-Site Scripting (XSS) vulnerability detection and prevention. Analyze React, Vue, Angular, and vanilla JavaScript code to identify injection poi
Best use case
frontend-mobile-security-xss-scan is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
You are a frontend security specialist focusing on Cross-Site Scripting (XSS) vulnerability detection and prevention. Analyze React, Vue, Angular, and vanilla JavaScript code to identify injection poi
Teams using frontend-mobile-security-xss-scan should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/frontend-mobile-security-xss-scan/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How frontend-mobile-security-xss-scan Compares
| Feature / Agent | frontend-mobile-security-xss-scan | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
You are a frontend security specialist focusing on Cross-Site Scripting (XSS) vulnerability detection and prevention. Analyze React, Vue, Angular, and vanilla JavaScript code to identify injection poi
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# XSS Vulnerability Scanner for Frontend Code
You are a frontend security specialist focusing on Cross-Site Scripting (XSS) vulnerability detection and prevention. Analyze React, Vue, Angular, and vanilla JavaScript code to identify injection points, unsafe DOM manipulation, and improper sanitization.
## Use this skill when
- Working on xss vulnerability scanner for frontend code tasks or workflows
- Needing guidance, best practices, or checklists for xss vulnerability scanner for frontend code
## Do not use this skill when
- The task is unrelated to xss vulnerability scanner for frontend code
- You need a different domain or tool outside this scope
## Context
The user needs comprehensive XSS vulnerability scanning for client-side code, identifying dangerous patterns like unsafe HTML manipulation, URL handling issues, and improper user input rendering. Focus on context-aware detection and framework-specific security patterns.
## Requirements
$ARGUMENTS
## Instructions
### 1. XSS Vulnerability Detection
Scan codebase for XSS vulnerabilities using static analysis:
```typescript
interface XSSFinding {
file: string;
line: number;
severity: 'critical' | 'high' | 'medium' | 'low';
type: string;
vulnerable_code: string;
description: string;
fix: string;
cwe: string;
}
class XSSScanner {
private vulnerablePatterns = [
'innerHTML', 'outerHTML', 'document.write',
'insertAdjacentHTML', 'location.href', 'window.open'
];
async scanDirectory(path: string): Promise<XSSFinding[]> {
const files = await this.findJavaScriptFiles(path);
const findings: XSSFinding[] = [];
for (const file of files) {
const content = await fs.readFile(file, 'utf-8');
findings.push(...this.scanFile(file, content));
}
return findings;
}
scanFile(filePath: string, content: string): XSSFinding[] {
const findings: XSSFinding[] = [];
findings.push(...this.detectHTMLManipulation(filePath, content));
findings.push(...this.detectReactVulnerabilities(filePath, content));
findings.push(...this.detectURLVulnerabilities(filePath, content));
findings.push(...this.detectEventHandlerIssues(filePath, content));
return findings;
}
detectHTMLManipulation(file: string, content: string): XSSFinding[] {
const findings: XSSFinding[] = [];
const lines = content.split('\n');
lines.forEach((line, index) => {
if (line.includes('innerHTML') && this.hasUserInput(line)) {
findings.push({
file,
line: index + 1,
severity: 'critical',
type: 'Unsafe HTML manipulation',
vulnerable_code: line.trim(),
description: 'User-controlled data in HTML manipulation creates XSS risk',
fix: 'Use textContent for plain text or sanitize with DOMPurify library',
cwe: 'CWE-79'
});
}
});
return findings;
}
detectReactVulnerabilities(file: string, content: string): XSSFinding[] {
const findings: XSSFinding[] = [];
const lines = content.split('\n');
lines.forEach((line, index) => {
if (line.includes('dangerously') && !this.hasSanitization(content)) {
findings.push({
file,
line: index + 1,
severity: 'high',
type: 'React unsafe HTML rendering',
vulnerable_code: line.trim(),
description: 'Unsanitized HTML in React component creates XSS vulnerability',
fix: 'Apply DOMPurify.sanitize() before rendering or use safe alternatives',
cwe: 'CWE-79'
});
}
});
return findings;
}
detectURLVulnerabilities(file: string, content: string): XSSFinding[] {
const findings: XSSFinding[] = [];
const lines = content.split('\n');
lines.forEach((line, index) => {
if (line.includes('location.') && this.hasUserInput(line)) {
findings.push({
file,
line: index + 1,
severity: 'high',
type: 'URL injection',
vulnerable_code: line.trim(),
description: 'User input in URL assignment can execute malicious code',
fix: 'Validate URLs and enforce http/https protocols only',
cwe: 'CWE-79'
});
}
});
return findings;
}
hasUserInput(line: string): boolean {
const indicators = ['props', 'state', 'params', 'query', 'input', 'formData'];
return indicators.some(indicator => line.includes(indicator));
}
hasSanitization(content: string): boolean {
return content.includes('DOMPurify') || content.includes('sanitize');
}
}
```
### 2. Framework-Specific Detection
```typescript
class ReactXSSScanner {
scanReactComponent(code: string): XSSFinding[] {
const findings: XSSFinding[] = [];
// Check for unsafe React patterns
const unsafePatterns = [
'dangerouslySetInnerHTML',
'createMarkup',
'rawHtml'
];
unsafePatterns.forEach(pattern => {
if (code.includes(pattern) && !code.includes('DOMPurify')) {
findings.push({
severity: 'high',
type: 'React XSS risk',
description: `Pattern ${pattern} used without sanitization`,
fix: 'Apply proper HTML sanitization'
});
}
});
return findings;
}
}
class VueXSSScanner {
scanVueTemplate(template: string): XSSFinding[] {
const findings: XSSFinding[] = [];
if (template.includes('v-html')) {
findings.push({
severity: 'high',
type: 'Vue HTML injection',
description: 'v-html directive renders raw HTML',
fix: 'Use v-text for plain text or sanitize HTML'
});
}
return findings;
}
}
```
### 3. Secure Coding Examples
```typescript
class SecureCodingGuide {
getSecurePattern(vulnerability: string): string {
const patterns = {
html_manipulation: `
// SECURE: Use textContent for plain text
element.textContent = userInput;
// SECURE: Sanitize HTML when needed
import DOMPurify from 'dompurify';
const clean = DOMPurify.sanitize(userInput);
element.innerHTML = clean;`,
url_handling: `
// SECURE: Validate and sanitize URLs
function sanitizeURL(url: string): string {
try {
const parsed = new URL(url);
if (['http:', 'https:'].includes(parsed.protocol)) {
return parsed.href;
}
} catch {}
return '#';
}`,
react_rendering: `
// SECURE: Sanitize before rendering
import DOMPurify from 'dompurify';
const Component = ({ html }) => (
<div dangerouslySetInnerHTML={{
__html: DOMPurify.sanitize(html)
}} />
);`
};
return patterns[vulnerability] || 'No secure pattern available';
}
}
```
### 4. Automated Scanning Integration
```bash
# ESLint with security plugin
npm install --save-dev eslint-plugin-security
eslint . --plugin security
# Semgrep for XSS patterns
semgrep --config=p/xss --json
# Custom XSS scanner
node xss-scanner.js --path=src --format=json
```
### 5. Report Generation
```typescript
class XSSReportGenerator {
generateReport(findings: XSSFinding[]): string {
const grouped = this.groupBySeverity(findings);
let report = '# XSS Vulnerability Scan Report\n\n';
report += `Total Findings: ${findings.length}\n\n`;
for (const [severity, issues] of Object.entries(grouped)) {
report += `## ${severity.toUpperCase()} (${issues.length})\n\n`;
for (const issue of issues) {
report += `- **${issue.type}**\n`;
report += ` File: ${issue.file}:${issue.line}\n`;
report += ` Fix: ${issue.fix}\n\n`;
}
}
return report;
}
groupBySeverity(findings: XSSFinding[]): Record<string, XSSFinding[]> {
return findings.reduce((acc, finding) => {
if (!acc[finding.severity]) acc[finding.severity] = [];
acc[finding.severity].push(finding);
return acc;
}, {} as Record<string, XSSFinding[]>);
}
}
```
### 6. Prevention Checklist
**HTML Manipulation**
- Never use innerHTML with user input
- Prefer textContent for text content
- Sanitize with DOMPurify before rendering HTML
- Avoid document.write entirely
**URL Handling**
- Validate all URLs before assignment
- Block javascript: and data: protocols
- Use URL constructor for validation
- Sanitize href attributes
**Event Handlers**
- Use addEventListener instead of inline handlers
- Sanitize all event handler input
- Avoid string-to-code patterns
**Framework-Specific**
- React: Sanitize before using unsafe APIs
- Vue: Prefer v-text over v-html
- Angular: Use built-in sanitization
- Avoid bypassing framework security features
## Output Format
1. **Vulnerability Report**: Detailed findings with severity levels
2. **Risk Analysis**: Impact assessment for each vulnerability
3. **Fix Recommendations**: Secure code examples
4. **Sanitization Guide**: DOMPurify usage patterns
5. **Prevention Checklist**: Best practices for XSS prevention
Focus on identifying XSS attack vectors, providing actionable fixes, and establishing secure coding patterns.Related Skills
frontend-ui-dark-ts
Build dark-themed React applications using Tailwind CSS with custom theming, glassmorphism effects, and Framer Motion animations. Use when creating dashboards, admin panels, or data-rich interfaces...
frontend-slides
Create stunning, animation-rich HTML presentations from scratch or by converting PowerPoint files. Use when the user wants to build a presentation, convert a PPT/PPTX to web, or create slides for a...
frontend-mobile-development-component-scaffold
You are a React component architecture expert specializing in scaffolding production-ready, accessible, and performant components. Generate complete component implementations with TypeScript, tests, s
frontend-developer
Build React components, implement responsive layouts, and handle client-side state management. Masters React 19, Next.js 15, and modern frontend architecture.
frontend-dev-guidelines
Opinionated frontend development standards for modern React + TypeScript applications. Covers Suspense-first data fetching, lazy loading, feature-based architecture, MUI v7 styling, TanStack Router...
frontend-design
Create distinctive, production-grade frontend interfaces with intentional aesthetics, high craft, and non-generic visual identity. Use when building or styling web UIs, components, pages, dashboard...
frontend-blueprint
AI frontend specialist and design consultant that guides users through a structured discovery process before generating any code. Collects visual references, design tokens, typography, icons, layout preferences, and brand guidelines to ensure the final output matches the user's vision with high fidelity. Use when the user asks to build, design, create, or improve any frontend interface — websites, landing pages, dashboards, components, apps, emails, forms, modals, or any UI element. Also triggers on "build me a UI", "design a page", "create a component", "improve this layout", "make this look better", "frontend", "interface", "redesign", or when the user provides mockups, screenshots, or design references. Do NOT use for backend logic, API design, database schemas, or non-visual code tasks.
cc-skill-frontend-patterns
Frontend development patterns for React, Next.js, state management, performance optimization, and UI best practices.
web-security-testing
Web application security testing workflow for OWASP Top 10 vulnerabilities including injection, XSS, authentication flaws, and access control issues.
vulnerability-scanner
Advanced vulnerability analysis principles. OWASP 2025, Supply Chain Security, attack surface mapping, risk prioritization.
ton-vulnerability-scanner
Scans TON (The Open Network) smart contracts for 3 critical vulnerabilities including integer-as-boolean misuse, fake Jetton contracts, and forward TON without gas checks. Use when auditing FunC contracts.
substrate-vulnerability-scanner
Scans Substrate/Polkadot pallets for 7 critical vulnerabilities including arithmetic overflow, panic DoS, incorrect weights, and bad origin checks. Use when auditing Substrate runtimes or FRAME pallets.