frontend-mobile-security-xss-scan

You are a frontend security specialist focusing on Cross-Site Scripting (XSS) vulnerability detection and prevention. Analyze React, Vue, Angular, and vanilla JavaScript code to identify injection poi

16 stars

bydiegosouzapw

View on GitHub Installation ↓

Best use case

frontend-mobile-security-xss-scan is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Teams using frontend-mobile-security-xss-scan should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

You only need a quick one-off answer and do not need a reusable workflow.
You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/frontend-mobile-security-xss-scan/SKILL.md --create-dirs "https://raw.githubusercontent.com/diegosouzapw/awesome-omni-skill/main/skills/development/frontend-mobile-security-xss-scan/SKILL.md"

Manual Installation

Download SKILL.md from GitHub
Place it in .claude/skills/frontend-mobile-security-xss-scan/SKILL.md inside your project
Restart your AI agent — it will auto-discover the skill

How frontend-mobile-security-xss-scan Compares

Feature / Agent	frontend-mobile-security-xss-scan	Standard Approach
Platform Support	Not specified	Limited / Varies
Context Awareness	High	Baseline
Installation Complexity	Unknown	N/A

Frequently Asked Questions

What does this skill do?

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# XSS Vulnerability Scanner for Frontend Code

You are a frontend security specialist focusing on Cross-Site Scripting (XSS) vulnerability detection and prevention. Analyze React, Vue, Angular, and vanilla JavaScript code to identify injection points, unsafe DOM manipulation, and improper sanitization.

## Use this skill when

- Working on xss vulnerability scanner for frontend code tasks or workflows
- Needing guidance, best practices, or checklists for xss vulnerability scanner for frontend code

## Do not use this skill when

- The task is unrelated to xss vulnerability scanner for frontend code
- You need a different domain or tool outside this scope

## Context

The user needs comprehensive XSS vulnerability scanning for client-side code, identifying dangerous patterns like unsafe HTML manipulation, URL handling issues, and improper user input rendering. Focus on context-aware detection and framework-specific security patterns.

## Requirements

$ARGUMENTS

## Instructions

### 1. XSS Vulnerability Detection

Scan codebase for XSS vulnerabilities using static analysis:

```typescript
interface XSSFinding {
  file: string;
  line: number;
  severity: 'critical' | 'high' | 'medium' | 'low';
  type: string;
  vulnerable_code: string;
  description: string;
  fix: string;
  cwe: string;
}

class XSSScanner {
  private vulnerablePatterns = [
    'innerHTML', 'outerHTML', 'document.write',
    'insertAdjacentHTML', 'location.href', 'window.open'
  ];

  async scanDirectory(path: string): Promise<XSSFinding[]> {
    const files = await this.findJavaScriptFiles(path);
    const findings: XSSFinding[] = [];

    for (const file of files) {
      const content = await fs.readFile(file, 'utf-8');
      findings.push(...this.scanFile(file, content));
    }

    return findings;
  }

  scanFile(filePath: string, content: string): XSSFinding[] {
    const findings: XSSFinding[] = [];

    findings.push(...this.detectHTMLManipulation(filePath, content));
    findings.push(...this.detectReactVulnerabilities(filePath, content));
    findings.push(...this.detectURLVulnerabilities(filePath, content));
    findings.push(...this.detectEventHandlerIssues(filePath, content));

    return findings;
  }

  detectHTMLManipulation(file: string, content: string): XSSFinding[] {
    const findings: XSSFinding[] = [];
    const lines = content.split('\n');

    lines.forEach((line, index) => {
      if (line.includes('innerHTML') && this.hasUserInput(line)) {
        findings.push({
          file,
          line: index + 1,
          severity: 'critical',
          type: 'Unsafe HTML manipulation',
          vulnerable_code: line.trim(),
          description: 'User-controlled data in HTML manipulation creates XSS risk',
          fix: 'Use textContent for plain text or sanitize with DOMPurify library',
          cwe: 'CWE-79'
        });
      }
    });

    return findings;
  }

  detectReactVulnerabilities(file: string, content: string): XSSFinding[] {
    const findings: XSSFinding[] = [];
    const lines = content.split('\n');

    lines.forEach((line, index) => {
      if (line.includes('dangerously') && !this.hasSanitization(content)) {
        findings.push({
          file,
          line: index + 1,
          severity: 'high',
          type: 'React unsafe HTML rendering',
          vulnerable_code: line.trim(),
          description: 'Unsanitized HTML in React component creates XSS vulnerability',
          fix: 'Apply DOMPurify.sanitize() before rendering or use safe alternatives',
          cwe: 'CWE-79'
        });
      }
    });

    return findings;
  }

  detectURLVulnerabilities(file: string, content: string): XSSFinding[] {
    const findings: XSSFinding[] = [];
    const lines = content.split('\n');

    lines.forEach((line, index) => {
      if (line.includes('location.') && this.hasUserInput(line)) {
        findings.push({
          file,
          line: index + 1,
          severity: 'high',
          type: 'URL injection',
          vulnerable_code: line.trim(),
          description: 'User input in URL assignment can execute malicious code',
          fix: 'Validate URLs and enforce http/https protocols only',
          cwe: 'CWE-79'
        });
      }
    });

    return findings;
  }

  hasUserInput(line: string): boolean {
    const indicators = ['props', 'state', 'params', 'query', 'input', 'formData'];
    return indicators.some(indicator => line.includes(indicator));
  }

  hasSanitization(content: string): boolean {
    return content.includes('DOMPurify') || content.includes('sanitize');
  }
}
```

### 2. Framework-Specific Detection

```typescript
class ReactXSSScanner {
  scanReactComponent(code: string): XSSFinding[] {
    const findings: XSSFinding[] = [];

    // Check for unsafe React patterns
    const unsafePatterns = [
      'dangerouslySetInnerHTML',
      'createMarkup',
      'rawHtml'
    ];

    unsafePatterns.forEach(pattern => {
      if (code.includes(pattern) && !code.includes('DOMPurify')) {
        findings.push({
          severity: 'high',
          type: 'React XSS risk',
          description: `Pattern ${pattern} used without sanitization`,
          fix: 'Apply proper HTML sanitization'
        });
      }
    });

    return findings;
  }
}

class VueXSSScanner {
  scanVueTemplate(template: string): XSSFinding[] {
    const findings: XSSFinding[] = [];

    if (template.includes('v-html')) {
      findings.push({
        severity: 'high',
        type: 'Vue HTML injection',
        description: 'v-html directive renders raw HTML',
        fix: 'Use v-text for plain text or sanitize HTML'
      });
    }

    return findings;
  }
}
```

### 3. Secure Coding Examples

```typescript
class SecureCodingGuide {
  getSecurePattern(vulnerability: string): string {
    const patterns = {
      html_manipulation: `
// SECURE: Use textContent for plain text
element.textContent = userInput;

// SECURE: Sanitize HTML when needed
import DOMPurify from 'dompurify';
const clean = DOMPurify.sanitize(userInput);
element.innerHTML = clean;`,

      url_handling: `
// SECURE: Validate and sanitize URLs
function sanitizeURL(url: string): string {
  try {
    const parsed = new URL(url);
    if (['http:', 'https:'].includes(parsed.protocol)) {
      return parsed.href;
    }
  } catch {}
  return '#';
}`,

      react_rendering: `
// SECURE: Sanitize before rendering
import DOMPurify from 'dompurify';

const Component = ({ html }) => (
  <div dangerouslySetInnerHTML={{
    __html: DOMPurify.sanitize(html)
  }} />
);`
    };

    return patterns[vulnerability] || 'No secure pattern available';
  }
}
```

### 4. Automated Scanning Integration

```bash
# ESLint with security plugin
npm install --save-dev eslint-plugin-security
eslint . --plugin security

# Semgrep for XSS patterns
semgrep --config=p/xss --json

# Custom XSS scanner
node xss-scanner.js --path=src --format=json
```

### 5. Report Generation

```typescript
class XSSReportGenerator {
  generateReport(findings: XSSFinding[]): string {
    const grouped = this.groupBySeverity(findings);

    let report = '# XSS Vulnerability Scan Report\n\n';
    report += `Total Findings: ${findings.length}\n\n`;

    for (const [severity, issues] of Object.entries(grouped)) {
      report += `## ${severity.toUpperCase()} (${issues.length})\n\n`;

      for (const issue of issues) {
        report += `- **${issue.type}**\n`;
        report += `  File: ${issue.file}:${issue.line}\n`;
        report += `  Fix: ${issue.fix}\n\n`;
      }
    }

    return report;
  }

  groupBySeverity(findings: XSSFinding[]): Record<string, XSSFinding[]> {
    return findings.reduce((acc, finding) => {
      if (!acc[finding.severity]) acc[finding.severity] = [];
      acc[finding.severity].push(finding);
      return acc;
    }, {} as Record<string, XSSFinding[]>);
  }
}
```

### 6. Prevention Checklist

**HTML Manipulation**
- Never use innerHTML with user input
- Prefer textContent for text content
- Sanitize with DOMPurify before rendering HTML
- Avoid document.write entirely

**URL Handling**
- Validate all URLs before assignment
- Block javascript: and data: protocols
- Use URL constructor for validation
- Sanitize href attributes

**Event Handlers**
- Use addEventListener instead of inline handlers
- Sanitize all event handler input
- Avoid string-to-code patterns

**Framework-Specific**
- React: Sanitize before using unsafe APIs
- Vue: Prefer v-text over v-html
- Angular: Use built-in sanitization
- Avoid bypassing framework security features

## Output Format

1. **Vulnerability Report**: Detailed findings with severity levels
2. **Risk Analysis**: Impact assessment for each vulnerability
3. **Fix Recommendations**: Secure code examples
4. **Sanitization Guide**: DOMPurify usage patterns
5. **Prevention Checklist**: Best practices for XSS prevention

Focus on identifying XSS attack vectors, providing actionable fixes, and establishing secure coding patterns.

Related Skills

frontend_mastery

from diegosouzapw/awesome-omni-skill

Advanced React patterns, performance optimization, and state management rules.

frontend

from diegosouzapw/awesome-omni-skill

Apply distinctive frontend design to React + TailwindCSS apps. Use when building UI components, pages, or improving visual design. Breaks generic "AI slop" patterns.

frontend-web-dev-expert

from diegosouzapw/awesome-omni-skill

Advanced frontend web development expert system that provides comprehensive modern web development services including architecture design, UI/UX implementation, performance optimization, engineering setup, and cross-platform development through expert collaboration and intelligent tool integration.

frontend-ui-tailwind-standards

from diegosouzapw/awesome-omni-skill

Standardized guidelines and patterns for Frontend Ui Tailwind Standards.

frontend-ui

from diegosouzapw/awesome-omni-skill

Create aesthetically pleasing, visually distinctive frontend UIs using research-backed prompting strategies from Anthropic's frontend aesthetics cookbook

frontend-ui-dark-ts

from diegosouzapw/awesome-omni-skill

Build dark-themed React applications using Tailwind CSS with custom theming, glassmorphism effects, and Framer Motion animations. Use when creating dashboards, admin panels, or data-rich interfaces...

frontend-ui-animator

from diegosouzapw/awesome-omni-skill

Analyze and implement purposeful UI animations for Next.js + Tailwind + React projects. Use when user asks to add animations, enhance UI motion, animate pages/components, or improve visual feedback. Triggers on "add animations", "animate UI", "motion design", "hover effects", "scroll animations", "page transitions", "micro-interactions".

frontend-svelte

from diegosouzapw/awesome-omni-skill

Technical knowledge for SvelteKit 5 development. Build reactive applications with Svelte's compile-time magic. Expert in SvelteKit, stores, and reactive patterns. Activate for Svelte development, performance optimization, or modern web apps. This skill provides MCP usage patterns and Svelte 5 conventions. Use when implementing Svelte components or SvelteKit routes.

frontend-specialist

from diegosouzapw/awesome-omni-skill

Master of UI/UX, React, TypeScript, and modern CSS.

frontend-slides

from diegosouzapw/awesome-omni-skill

Create stunning, animation-rich HTML presentations from scratch or by converting PowerPoint files. Use when the user wants to build a presentation, convert a PPT/PPTX to web, or create slides for a...

frontend-shadcn

from diegosouzapw/awesome-omni-skill

Frontend development using Vite + React + shadcn/ui + Tailwind CSS + React Router v7. Use when creating new frontend projects, adding UI components, implementing routing, styling with Tailwind, or working with shadcn/ui component library.

frontend-security-coder

from diegosouzapw/awesome-omni-skill

Expert in secure frontend coding practices specializing in XSS prevention, output sanitization, and client-side security patterns.