Agent Skillsrmyndharis/antigravity-skills › frontend-mobile-security-xss-scan

frontend-mobile-security-xss-scan

GitHub

前端XSS漏洞扫描技能,针对React/Vue/Angular等代码进行静态分析,检测不安全DOM操作、HTML注入及URL处理风险,提供修复建议与CWE分类。

skills/frontend-mobile-security-xss-scan/SKILL.md rmyndharis/antigravity-skills

Trigger Scenarios

前端代码XSS漏洞扫描 前端安全最佳实践咨询 识别不安全DOM操作

Install

npx skills add rmyndharis/antigravity-skills --skill frontend-mobile-security-xss-scan -g -y
More Options

Use without installing

npx skills use rmyndharis/antigravity-skills@frontend-mobile-security-xss-scan

指定 Agent (Claude Code)

npx skills add rmyndharis/antigravity-skills --skill frontend-mobile-security-xss-scan -a claude-code -g -y

安装 repo 全部 skill

npx skills add rmyndharis/antigravity-skills --all -g -y

预览 repo 内 skill

npx skills add rmyndharis/antigravity-skills --list

SKILL.md

Frontmatter
{
    "name": "frontend-mobile-security-xss-scan",
    "description": "You are a frontend security specialist focusing on Cross-Site Scripting (XSS) vulnerability detection and prevention. Analyze React, Vue, Angular, and vanilla JavaScript code to identify injection poi"
}

XSS Vulnerability Scanner for Frontend Code

You are a frontend security specialist focusing on Cross-Site Scripting (XSS) vulnerability detection and prevention. Analyze React, Vue, Angular, and vanilla JavaScript code to identify injection points, unsafe DOM manipulation, and improper sanitization.

Use this skill when

  • Working on xss vulnerability scanner for frontend code tasks or workflows
  • Needing guidance, best practices, or checklists for xss vulnerability scanner for frontend code

Do not use this skill when

  • The task is unrelated to xss vulnerability scanner for frontend code
  • You need a different domain or tool outside this scope

Context

The user needs comprehensive XSS vulnerability scanning for client-side code, identifying dangerous patterns like unsafe HTML manipulation, URL handling issues, and improper user input rendering. Focus on context-aware detection and framework-specific security patterns.

Requirements

$ARGUMENTS

Instructions

1. XSS Vulnerability Detection

Scan codebase for XSS vulnerabilities using static analysis:

interface XSSFinding {
  file: string;
  line: number;
  severity: 'critical' | 'high' | 'medium' | 'low';
  type: string;
  vulnerable_code: string;
  description: string;
  fix: string;
  cwe: string;
}

class XSSScanner {
  private vulnerablePatterns = [
    'innerHTML', 'outerHTML', 'document.write',
    'insertAdjacentHTML', 'location.href', 'window.open'
  ];

  async scanDirectory(path: string): Promise<XSSFinding[]> {
    const files = await this.findJavaScriptFiles(path);
    const findings: XSSFinding[] = [];

    for (const file of files) {
      const content = await fs.readFile(file, 'utf-8');
      findings.push(...this.scanFile(file, content));
    }

    return findings;
  }

  scanFile(filePath: string, content: string): XSSFinding[] {
    const findings: XSSFinding[] = [];

    findings.push(...this.detectHTMLManipulation(filePath, content));
    findings.push(...this.detectReactVulnerabilities(filePath, content));
    findings.push(...this.detectURLVulnerabilities(filePath, content));
    findings.push(...this.detectEventHandlerIssues(filePath, content));

    return findings;
  }

  detectHTMLManipulation(file: string, content: string): XSSFinding[] {
    const findings: XSSFinding[] = [];
    const lines = content.split('\n');

    lines.forEach((line, index) => {
      if (line.includes('innerHTML') && this.hasUserInput(line)) {
        findings.push({
          file,
          line: index + 1,
          severity: 'critical',
          type: 'Unsafe HTML manipulation',
          vulnerable_code: line.trim(),
          description: 'User-controlled data in HTML manipulation creates XSS risk',
          fix: 'Use textContent for plain text or sanitize with DOMPurify library',
          cwe: 'CWE-79'
        });
      }
    });

    return findings;
  }

  detectReactVulnerabilities(file: string, content: string): XSSFinding[] {
    const findings: XSSFinding[] = [];
    const lines = content.split('\n');

    lines.forEach((line, index) => {
      if (line.includes('dangerously') && !this.hasSanitization(content)) {
        findings.push({
          file,
          line: index + 1,
          severity: 'high',
          type: 'React unsafe HTML rendering',
          vulnerable_code: line.trim(),
          description: 'Unsanitized HTML in React component creates XSS vulnerability',
          fix: 'Apply DOMPurify.sanitize() before rendering or use safe alternatives',
          cwe: 'CWE-79'
        });
      }
    });

    return findings;
  }

  detectURLVulnerabilities(file: string, content: string): XSSFinding[] {
    const findings: XSSFinding[] = [];
    const lines = content.split('\n');

    lines.forEach((line, index) => {
      if (line.includes('location.') && this.hasUserInput(line)) {
        findings.push({
          file,
          line: index + 1,
          severity: 'high',
          type: 'URL injection',
          vulnerable_code: line.trim(),
          description: 'User input in URL assignment can execute malicious code',
          fix: 'Validate URLs and enforce http/https protocols only',
          cwe: 'CWE-79'
        });
      }
    });

    return findings;
  }

  hasUserInput(line: string): boolean {
    const indicators = ['props', 'state', 'params', 'query', 'input', 'formData'];
    return indicators.some(indicator => line.includes(indicator));
  }

  hasSanitization(content: string): boolean {
    return content.includes('DOMPurify') || content.includes('sanitize');
  }
}

2. Framework-Specific Detection

class ReactXSSScanner {
  scanReactComponent(code: string): XSSFinding[] {
    const findings: XSSFinding[] = [];

    // Check for unsafe React patterns
    const unsafePatterns = [
      'dangerouslySetInnerHTML',
      'createMarkup',
      'rawHtml'
    ];

    unsafePatterns.forEach(pattern => {
      if (code.includes(pattern) && !code.includes('DOMPurify')) {
        findings.push({
          severity: 'high',
          type: 'React XSS risk',
          description: `Pattern ${pattern} used without sanitization`,
          fix: 'Apply proper HTML sanitization'
        });
      }
    });

    return findings;
  }
}

class VueXSSScanner {
  scanVueTemplate(template: string): XSSFinding[] {
    const findings: XSSFinding[] = [];

    if (template.includes('v-html')) {
      findings.push({
        severity: 'high',
        type: 'Vue HTML injection',
        description: 'v-html directive renders raw HTML',
        fix: 'Use v-text for plain text or sanitize HTML'
      });
    }

    return findings;
  }
}

3. Secure Coding Examples

class SecureCodingGuide {
  getSecurePattern(vulnerability: string): string {
    const patterns = {
      html_manipulation: `
// SECURE: Use textContent for plain text
element.textContent = userInput;

// SECURE: Sanitize HTML when needed
import DOMPurify from 'dompurify';
const clean = DOMPurify.sanitize(userInput);
element.innerHTML = clean;`,

      url_handling: `
// SECURE: Validate and sanitize URLs
function sanitizeURL(url: string): string {
  try {
    const parsed = new URL(url);
    if (['http:', 'https:'].includes(parsed.protocol)) {
      return parsed.href;
    }
  } catch {}
  return '#';
}`,

      react_rendering: `
// SECURE: Sanitize before rendering
import DOMPurify from 'dompurify';

const Component = ({ html }) => (
  <div dangerouslySetInnerHTML={{
    __html: DOMPurify.sanitize(html)
  }} />
);`
    };

    return patterns[vulnerability] || 'No secure pattern available';
  }
}

4. Automated Scanning Integration

# ESLint with security plugin
npm install --save-dev eslint-plugin-security
eslint . --plugin security

# Semgrep for XSS patterns
semgrep --config=p/xss --json

# Custom XSS scanner
node xss-scanner.js --path=src --format=json

5. Report Generation

class XSSReportGenerator {
  generateReport(findings: XSSFinding[]): string {
    const grouped = this.groupBySeverity(findings);

    let report = '# XSS Vulnerability Scan Report\n\n';
    report += `Total Findings: ${findings.length}\n\n`;

    for (const [severity, issues] of Object.entries(grouped)) {
      report += `## ${severity.toUpperCase()} (${issues.length})\n\n`;

      for (const issue of issues) {
        report += `- **${issue.type}**\n`;
        report += `  File: ${issue.file}:${issue.line}\n`;
        report += `  Fix: ${issue.fix}\n\n`;
      }
    }

    return report;
  }

  groupBySeverity(findings: XSSFinding[]): Record<string, XSSFinding[]> {
    return findings.reduce((acc, finding) => {
      if (!acc[finding.severity]) acc[finding.severity] = [];
      acc[finding.severity].push(finding);
      return acc;
    }, {} as Record<string, XSSFinding[]>);
  }
}

6. Prevention Checklist

HTML Manipulation

  • Never use innerHTML with user input
  • Prefer textContent for text content
  • Sanitize with DOMPurify before rendering HTML
  • Avoid document.write entirely

URL Handling

  • Validate all URLs before assignment
  • Block javascript: and data: protocols
  • Use URL constructor for validation
  • Sanitize href attributes

Event Handlers

  • Use addEventListener instead of inline handlers
  • Sanitize all event handler input
  • Avoid string-to-code patterns

Framework-Specific

  • React: Sanitize before using unsafe APIs
  • Vue: Prefer v-text over v-html
  • Angular: Use built-in sanitization
  • Avoid bypassing framework security features

Output Format

  1. Vulnerability Report: Detailed findings with severity levels
  2. Risk Analysis: Impact assessment for each vulnerability
  3. Fix Recommendations: Secure code examples
  4. Sanitization Guide: DOMPurify usage patterns
  5. Prevention Checklist: Best practices for XSS prevention

Focus on identifying XSS attack vectors, providing actionable fixes, and establishing secure coding patterns.

Version History

  • e63f7dd Current 2026-07-05 09:32

Same Skill Collection

skills/accessibility-compliance-accessibility-audit/SKILL.md
skills/agent-orchestration-improve-agent/SKILL.md
skills/agent-orchestration-multi-agent-optimize/SKILL.md
skills/ai-engineer/SKILL.md
skills/airflow-dag-patterns/SKILL.md
skills/angular-migration/SKILL.md
skills/anti-reversing-techniques/SKILL.md
skills/api-design-principles/SKILL.md
skills/api-documenter/SKILL.md
skills/api-testing-observability-api-mock/SKILL.md
skills/application-performance-performance-optimization/SKILL.md
skills/architect-review/SKILL.md
skills/architecture-decision-records/SKILL.md
skills/architecture-patterns/SKILL.md
skills/arm-cortex-expert/SKILL.md
skills/article-illustrations/SKILL.md
skills/async-python-patterns/SKILL.md
skills/attack-tree-construction/SKILL.md
skills/auth-implementation-patterns/SKILL.md
skills/backend-architect/SKILL.md
skills/backend-development-feature-development/SKILL.md
skills/backend-security-coder/SKILL.md
skills/backtesting-frameworks/SKILL.md
skills/bash-defensive-patterns/SKILL.md
skills/bash-pro/SKILL.md
skills/bats-testing-patterns/SKILL.md
skills/bazel-build-optimization/SKILL.md
skills/billing-automation/SKILL.md
skills/binary-analysis-patterns/SKILL.md
skills/blockchain-developer/SKILL.md
skills/business-analyst/SKILL.md
skills/c-pro/SKILL.md
skills/c4-architecture-c4-architecture/SKILL.md
skills/c4-code/SKILL.md
skills/c4-component/SKILL.md
skills/c4-container/SKILL.md
skills/c4-context/SKILL.md
skills/changelog-automation/SKILL.md
skills/cicd-automation-workflow-automate/SKILL.md
skills/cloud-architect/SKILL.md
skills/code-documentation-code-explain/SKILL.md
skills/code-documentation-doc-generate/SKILL.md
skills/code-refactoring-context-restore/SKILL.md
skills/code-refactoring-refactor-clean/SKILL.md
skills/code-refactoring-tech-debt/SKILL.md
skills/code-review-ai-ai-review/SKILL.md
skills/code-review-excellence/SKILL.md
skills/code-reviewer/SKILL.md
skills/codebase-cleanup-deps-audit/SKILL.md
skills/codebase-cleanup-refactor-clean/SKILL.md
skills/codebase-cleanup-tech-debt/SKILL.md
skills/competitive-landscape/SKILL.md
skills/comprehensive-review-full-review/SKILL.md
skills/comprehensive-review-pr-enhance/SKILL.md
skills/conductor-implement/SKILL.md
skills/conductor-manage/SKILL.md
skills/conductor-new-track/SKILL.md
skills/conductor-revert/SKILL.md
skills/conductor-setup/SKILL.md
skills/conductor-status/SKILL.md
skills/conductor-validator/SKILL.md
skills/content-marketer/SKILL.md
skills/context-driven-development/SKILL.md
skills/context-management-context-restore/SKILL.md
skills/context-management-context-save/SKILL.md
skills/context-manager/SKILL.md
skills/cost-optimization/SKILL.md
skills/cpp-pro/SKILL.md
skills/cqrs-implementation/SKILL.md
skills/csharp-pro/SKILL.md
skills/customer-support/SKILL.md
skills/data-engineer/SKILL.md
skills/data-engineering-data-driven-feature/SKILL.md
skills/data-engineering-data-pipeline/SKILL.md
skills/data-quality-frameworks/SKILL.md
skills/data-scientist/SKILL.md
skills/data-storytelling/SKILL.md
skills/database-admin/SKILL.md
skills/database-architect/SKILL.md
skills/database-cloud-optimization-cost-optimize/SKILL.md
skills/database-migration/SKILL.md
skills/database-migrations-migration-observability/SKILL.md
skills/database-migrations-sql-migrations/SKILL.md
skills/database-optimizer/SKILL.md
skills/dbt-transformation-patterns/SKILL.md
skills/debugger/SKILL.md
skills/debugging-strategies/SKILL.md
skills/debugging-toolkit-smart-debug/SKILL.md
skills/defi-protocol-templates/SKILL.md
skills/dependency-management-deps-audit/SKILL.md
skills/dependency-upgrade/SKILL.md
skills/deployment-engineer/SKILL.md
skills/deployment-pipeline-design/SKILL.md
skills/deployment-validation-config-validate/SKILL.md
skills/devops-troubleshooter/SKILL.md
skills/distributed-debugging-debug-trace/SKILL.md
skills/distributed-tracing/SKILL.md
skills/django-pro/SKILL.md
skills/docs-architect/SKILL.md
skills/documentation-generation-doc-generate/SKILL.md
skills/dotnet-architect/SKILL.md
skills/dotnet-backend-patterns/SKILL.md
skills/dx-optimizer/SKILL.md
skills/e2e-testing-patterns/SKILL.md
skills/elixir-pro/SKILL.md
skills/embedding-strategies/SKILL.md
skills/employment-contract-templates/SKILL.md
skills/error-debugging-error-analysis/SKILL.md
skills/error-debugging-error-trace/SKILL.md
skills/error-debugging-multi-agent-review/SKILL.md
skills/error-detective/SKILL.md
skills/error-diagnostics-error-analysis/SKILL.md
skills/error-diagnostics-error-trace/SKILL.md
skills/error-diagnostics-smart-debug/SKILL.md
skills/error-handling-patterns/SKILL.md
skills/event-sourcing-architect/SKILL.md
skills/event-store-design/SKILL.md
skills/fastapi-pro/SKILL.md
skills/fastapi-templates/SKILL.md
skills/firmware-analyst/SKILL.md
skills/flutter-expert/SKILL.md
skills/framework-migration-code-migrate/SKILL.md
skills/framework-migration-deps-upgrade/SKILL.md
skills/framework-migration-legacy-modernize/SKILL.md
skills/frontend-developer/SKILL.md
skills/frontend-mobile-development-component-scaffold/SKILL.md
skills/frontend-security-coder/SKILL.md
skills/full-stack-orchestration-full-stack-feature/SKILL.md
skills/gdpr-data-handling/SKILL.md
skills/git-advanced-workflows/SKILL.md
skills/git-pr-workflows-git-workflow/SKILL.md
skills/git-pr-workflows-onboard/SKILL.md
skills/git-pr-workflows-pr-enhance/SKILL.md
skills/github-actions-templates/SKILL.md
skills/gitlab-ci-patterns/SKILL.md
skills/gitops-workflow/SKILL.md
skills/go-concurrency-patterns/SKILL.md
skills/godot-gdscript-patterns/SKILL.md
skills/golang-pro/SKILL.md
skills/grafana-dashboards/SKILL.md
skills/graphql-architect/SKILL.md
skills/haskell-pro/SKILL.md
skills/helm-chart-scaffolding/SKILL.md
skills/hr-pro/SKILL.md
skills/hybrid-cloud-architect/SKILL.md
skills/hybrid-cloud-networking/SKILL.md
skills/hybrid-search-implementation/SKILL.md
skills/incident-responder/SKILL.md
skills/incident-response-incident-response/SKILL.md
skills/incident-response-smart-fix/SKILL.md
skills/incident-runbook-templates/SKILL.md
skills/ios-developer/SKILL.md
skills/istio-traffic-management/SKILL.md
skills/java-pro/SKILL.md
skills/javascript-pro/SKILL.md
skills/javascript-testing-patterns/SKILL.md
skills/javascript-typescript-typescript-scaffold/SKILL.md
skills/julia-pro/SKILL.md
skills/k8s-manifest-generator/SKILL.md
skills/k8s-security-policies/SKILL.md
skills/kpi-dashboard-design/SKILL.md
skills/kubernetes-architect/SKILL.md
skills/langchain-architecture/SKILL.md
skills/legacy-modernizer/SKILL.md
skills/legal-advisor/SKILL.md
skills/linkerd-patterns/SKILL.md
skills/llm-application-dev-ai-assistant/SKILL.md
skills/llm-application-dev-langchain-agent/SKILL.md
skills/llm-application-dev-prompt-optimize/SKILL.md
skills/llm-evaluation/SKILL.md
skills/machine-learning-ops-ml-pipeline/SKILL.md
skills/malware-analyst/SKILL.md
skills/market-sizing-analysis/SKILL.md
skills/memory-forensics/SKILL.md
skills/memory-safety-patterns/SKILL.md
skills/mermaid-expert/SKILL.md
skills/microservices-patterns/SKILL.md
skills/minecraft-bukkit-pro/SKILL.md
skills/ml-engineer/SKILL.md
skills/ml-pipeline-workflow/SKILL.md
skills/mlops-engineer/SKILL.md
skills/mobile-developer/SKILL.md
skills/mobile-security-coder/SKILL.md
skills/modern-javascript-patterns/SKILL.md
skills/monorepo-architect/SKILL.md
skills/monorepo-management/SKILL.md
skills/mtls-configuration/SKILL.md
skills/multi-cloud-architecture/SKILL.md
skills/multi-platform-apps-multi-platform/SKILL.md
skills/network-engineer/SKILL.md
skills/nextjs-app-router-patterns/SKILL.md
skills/nft-standards/SKILL.md
skills/nodejs-backend-patterns/SKILL.md
skills/nx-workspace-patterns/SKILL.md
skills/observability-engineer/SKILL.md
skills/observability-monitoring-monitor-setup/SKILL.md
skills/observability-monitoring-slo-implement/SKILL.md
skills/on-call-handoff-patterns/SKILL.md
skills/openapi-spec-generation/SKILL.md
skills/payment-integration/SKILL.md
skills/paypal-integration/SKILL.md
skills/pci-compliance/SKILL.md
skills/performance-engineer/SKILL.md
skills/performance-testing-review-ai-review/SKILL.md
skills/performance-testing-review-multi-agent-review/SKILL.md
skills/php-pro/SKILL.md
skills/posix-shell-pro/SKILL.md
skills/postgresql/SKILL.md
skills/postmortem-writing/SKILL.md
skills/projection-patterns/SKILL.md
skills/prometheus-configuration/SKILL.md
skills/prompt-engineer/SKILL.md
skills/prompt-engineering-patterns/SKILL.md
skills/protocol-reverse-engineering/SKILL.md
skills/python-packaging/SKILL.md
skills/python-performance-optimization/SKILL.md
skills/python-pro/SKILL.md
skills/python-testing-patterns/SKILL.md
skills/quant-analyst/SKILL.md
skills/rag-implementation/SKILL.md
skills/react-modernization/SKILL.md
skills/react-native-architecture/SKILL.md
skills/react-state-management/SKILL.md
skills/reference-builder/SKILL.md
skills/reverse-engineer/SKILL.md
skills/risk-manager/SKILL.md
skills/risk-metrics-calculation/SKILL.md
skills/ruby-pro/SKILL.md
skills/rust-async-patterns/SKILL.md
skills/rust-pro/SKILL.md
skills/saga-orchestration/SKILL.md
skills/sales-automator/SKILL.md
skills/sast-configuration/SKILL.md
skills/scala-pro/SKILL.md
skills/screen-reader-testing/SKILL.md
skills/search-specialist/SKILL.md
skills/secrets-management/SKILL.md
skills/security-auditor/SKILL.md
skills/security-compliance-compliance-check/SKILL.md
skills/security-requirement-extraction/SKILL.md
skills/security-scanning-security-dependencies/SKILL.md
skills/security-scanning-security-hardening/SKILL.md
skills/security-scanning-security-sast/SKILL.md
skills/seo-authority-builder/SKILL.md
skills/seo-cannibalization-detector/SKILL.md
skills/seo-content-auditor/SKILL.md
skills/seo-content-planner/SKILL.md
skills/seo-content-refresher/SKILL.md
skills/seo-content-writer/SKILL.md
skills/seo-keyword-strategist/SKILL.md
skills/seo-meta-optimizer/SKILL.md
skills/seo-snippet-hunter/SKILL.md
skills/seo-structure-architect/SKILL.md
skills/service-mesh-expert/SKILL.md
skills/service-mesh-observability/SKILL.md
skills/shellcheck-configuration/SKILL.md
skills/similarity-search-patterns/SKILL.md
skills/slo-implementation/SKILL.md
skills/solidity-security/SKILL.md
skills/spark-optimization/SKILL.md
skills/sql-optimization-patterns/SKILL.md
skills/sql-pro/SKILL.md
skills/startup-analyst/SKILL.md
skills/startup-business-analyst-business-case/SKILL.md
skills/startup-business-analyst-financial-projections/SKILL.md
skills/startup-business-analyst-market-opportunity/SKILL.md
skills/startup-financial-modeling/SKILL.md
skills/startup-metrics-framework/SKILL.md
skills/stride-analysis-patterns/SKILL.md
skills/stripe-integration/SKILL.md
skills/systems-programming-rust-project/SKILL.md
skills/tailwind-design-system/SKILL.md
skills/tdd-orchestrator/SKILL.md
skills/tdd-workflows-tdd-green/SKILL.md
skills/tdd-workflows-tdd-red/SKILL.md
skills/team-collaboration-issue/SKILL.md
skills/team-collaboration-standup-notes/SKILL.md
skills/team-composition-analysis/SKILL.md
skills/temporal-python-pro/SKILL.md
skills/temporal-python-testing/SKILL.md
skills/terraform-module-library/SKILL.md
skills/terraform-specialist/SKILL.md
skills/test-automator/SKILL.md
skills/threat-mitigation-mapping/SKILL.md
skills/threat-modeling-expert/SKILL.md
skills/track-management/SKILL.md
skills/turborepo-caching/SKILL.md
skills/tutorial-engineer/SKILL.md
skills/typescript-advanced-types/SKILL.md
skills/typescript-pro/SKILL.md
skills/ui-ux-designer/SKILL.md
skills/ui-visual-validator/SKILL.md
skills/unit-testing-test-generate/SKILL.md
skills/unity-developer/SKILL.md
skills/unity-ecs-patterns/SKILL.md
skills/uv-package-manager/SKILL.md
skills/vector-database-engineer/SKILL.md
skills/vector-index-tuning/SKILL.md
skills/wcag-audit-patterns/SKILL.md
skills/web3-testing/SKILL.md
skills/workflow-orchestration-patterns/SKILL.md
skills/workflow-patterns/SKILL.md
skills/tdd-workflows-tdd-cycle/SKILL.md
skills/tdd-workflows-tdd-refactor/SKILL.md

Metadata

Files
0
Version
e63f7dd
Hash
eb86b9c2
Indexed
2026-07-05 09:32

Accueil - Wiki
Copyright © 2011-2026 iteam. Current version is 2.155.2. UTC+08:00, 2026-07-08 23:36
浙ICP备14020137号-1 $Carte des visiteurs$