frontend-mobile-security-xss-scan
Scan Frontend Code for XSS Vulnerabilities
This skill helps developers identify Cross-Site Scripting (XSS) vulnerabilities in React, Vue, Angular, and vanilla JavaScript code, providing actionable fixes and secure coding patterns.
スキルZIPをダウンロード
Claudeでアップロード
設定 → 機能 → スキル → スキルをアップロードへ移動
オンにして利用開始
テストする
「frontend-mobile-security-xss-scan」を使用しています。 Scan this code for XSS: element.innerHTML = userInput;
期待される結果:
## XSS Vulnerability Found
**Severity:** Critical
**Type:** Unsafe HTML Manipulation
**Location:** Line 1
**CWE:** CWE-79
**Description:** User-controlled data assigned to innerHTML creates XSS risk.
**Fix:** Use element.textContent for plain text, or sanitize with DOMPurify:
```javascript
import DOMPurify from 'dompurify';
element.innerHTML = DOMPurify.sanitize(userInput);
```
「frontend-mobile-security-xss-scan」を使用しています。 Check this React code: <div dangerouslySetInnerHTML={{__html: content}} />
期待される結果:
## React XSS Risk Found
**Severity:** High
**Type:** React Unsafe HTML Rendering
**Location:** Component
**Issue:** dangerouslySetInnerHTML used without sanitization.
**Fix:** Sanitize before rendering:
```javascript
import DOMPurify from 'dompurify';
<div dangerouslySetInnerHTML={{__html: DOMPurify.sanitize(content)}} />
```
「frontend-mobile-security-xss-scan」を使用しています。 Find XSS issues in: <a href={userUrl}>Link</a>
期待される結果:
## URL Injection Risk Found
**Severity:** High
**Type:** URL Injection
**Issue:** User-supplied URL in href attribute without validation.
**Fix:** Validate and sanitize URLs:
```javascript
const safeUrl = url.startsWith('http://') || url.startsWith('https://')
? url
: '#';
```
セキュリティ監査
安全This is a legitimate defensive security skill for XSS vulnerability detection. The static analyzer flagged patterns are educational examples of vulnerable code that the skill teaches users how to detect. These patterns include innerHTML usage, fs.readFile for scanning files, and security best practices - all defensive security content, not malicious code. The skill provides guidance on identifying and fixing XSS vulnerabilities in frontend codebases.
中リスクの問題 (1)
低リスクの問題 (1)
リスク要因
⚡ スクリプトを含む (1)
📁 ファイルシステムへのアクセス (1)
品質スコア
作れるもの
Security Audit for Web Application
Scan a React or Vue codebase before production release to identify and fix XSS vulnerabilities.
CI/CD Security Integration
Integrate XSS scanning into build pipelines to catch vulnerabilities before deployment.
Secure Code Review Assistant
Use as a coding companion to review code changes for security issues during development.
これらのプロンプトを試す
Scan this JavaScript code for XSS vulnerabilities: ``` [PASTE CODE HERE] ``` Identify any innerHTML usage, document.write calls, or unsanitized user input rendering.
Review this React component for XSS vulnerabilities: ``` [PASTE REACT CODE HERE] ``` Check for dangerouslySetInnerHTML usage, event handler injection, and prop-based data handling.
Perform a comprehensive XSS security audit on the following codebase. Include severity levels, CWE references, and recommended fixes: ``` [PASTE CODE HERE] ```
What are the secure alternatives to this potentially vulnerable code pattern? ``` [PASTE VULNERABLE CODE] ``` Provide specific fixes using DOMPurify or framework-safe methods.
ベストプラクティス
- Always sanitize user input before rendering HTML using DOMPurify or similar libraries
- Prefer textContent over innerHTML for rendering plain text content
- Validate and whitelist URL protocols (http, https) before assigning to href or location
回避
- Using innerHTML with direct user input without sanitization
- Using dangerouslySetInnerHTML without DOMPurify sanitization
- Assigning user-controlled URLs to location.href without validation