{"id":"d593e019-9000-419c-b274-d9dcd79ea4ec","shortId":"y7SXEY","kind":"skill","title":"frontend-mobile-security-xss-scan","tagline":"You are a frontend security specialist focusing on Cross-Site Scripting (XSS) vulnerability detection and prevention. Analyze React, Vue, Angular, and vanilla JavaScript code to identify injection poi","description":"# XSS Vulnerability Scanner for Frontend Code\n\nYou are a frontend security specialist focusing on Cross-Site Scripting (XSS) vulnerability detection and prevention. Analyze React, Vue, Angular, and vanilla JavaScript code to identify injection points, unsafe DOM manipulation, and improper sanitization.\n\n## Use this skill when\n\n- Working on xss vulnerability scanner for frontend code tasks or workflows\n- Needing guidance, best practices, or checklists for xss vulnerability scanner for frontend code\n\n## Do not use this skill when\n\n- The task is unrelated to xss vulnerability scanner for frontend code\n- You need a different domain or tool outside this scope\n\n## Context\n\nThe user needs comprehensive XSS vulnerability scanning for client-side code, identifying dangerous patterns like unsafe HTML manipulation, URL handling issues, and improper user input rendering. Focus on context-aware detection and framework-specific security patterns.\n\n## Requirements\n\n$ARGUMENTS\n\n## Instructions\n\n### 1. XSS Vulnerability Detection\n\nScan codebase for XSS vulnerabilities using static analysis:\n\n```typescript\ninterface XSSFinding {\n  file: string;\n  line: number;\n  severity: 'critical' | 'high' | 'medium' | 'low';\n  type: string;\n  vulnerable_code: string;\n  description: string;\n  fix: string;\n  cwe: string;\n}\n\nclass XSSScanner {\n  private vulnerablePatterns = [\n    'innerHTML', 'outerHTML', 'document.write',\n    'insertAdjacentHTML', 'location.href', 'window.open'\n  ];\n\n  async scanDirectory(path: string): Promise<XSSFinding[]> {\n    const files = await this.findJavaScriptFiles(path);\n    const findings: XSSFinding[] = [];\n\n    for (const file of files) {\n      const content = await fs.readFile(file, 'utf-8');\n      findings.push(...this.scanFile(file, content));\n    }\n\n    return findings;\n  }\n\n  scanFile(filePath: string, content: string): XSSFinding[] {\n    const findings: XSSFinding[] = [];\n\n    findings.push(...this.detectHTMLManipulation(filePath, content));\n    findings.push(...this.detectReactVulnerabilities(filePath, content));\n    findings.push(...this.detectURLVulnerabilities(filePath, content));\n    findings.push(...this.detectEventHandlerIssues(filePath, content));\n\n    return findings;\n  }\n\n  detectHTMLManipulation(file: string, content: string): XSSFinding[] {\n    const findings: XSSFinding[] = [];\n    const lines = content.split('\\n');\n\n    lines.forEach((line, index) => {\n      if (line.includes('innerHTML') && this.hasUserInput(line)) {\n        findings.push({\n          file,\n          line: index + 1,\n          severity: 'critical',\n          type: 'Unsafe HTML manipulation',\n          vulnerable_code: line.trim(),\n          description: 'User-controlled data in HTML manipulation creates XSS risk',\n          fix: 'Use textContent for plain text or sanitize with DOMPurify library',\n          cwe: 'CWE-79'\n        });\n      }\n    });\n\n    return findings;\n  }\n\n  detectReactVulnerabilities(file: string, content: string): XSSFinding[] {\n    const findings: XSSFinding[] = [];\n    const lines = content.split('\\n');\n\n    lines.forEach((line, index) => {\n      if (line.includes('dangerously') && !this.hasSanitization(content)) {\n        findings.push({\n          file,\n          line: index + 1,\n          severity: 'high',\n          type: 'React unsafe HTML rendering',\n          vulnerable_code: line.trim(),\n          description: 'Unsanitized HTML in React component creates XSS vulnerability',\n          fix: 'Apply DOMPurify.sanitize() before rendering or use safe alternatives',\n          cwe: 'CWE-79'\n        });\n      }\n    });\n\n    return findings;\n  }\n\n  detectURLVulnerabilities(file: string, content: string): XSSFinding[] {\n    const findings: XSSFinding[] = [];\n    const lines = content.split('\\n');\n\n    lines.forEach((line, index) => {\n      if (line.includes('location.') && this.hasUserInput(line)) {\n        findings.push({\n          file,\n          line: index + 1,\n          severity: 'high',\n          type: 'URL injection',\n          vulnerable_code: line.trim(),\n          description: 'User input in URL assignment can execute malicious code',\n          fix: 'Validate URLs and enforce http/https protocols only',\n          cwe: 'CWE-79'\n        });\n      }\n    });\n\n    return findings;\n  }\n\n  hasUserInput(line: string): boolean {\n    const indicators = ['props', 'state', 'params', 'query', 'input', 'formData'];\n    return indicators.some(indicator => line.includes(indicator));\n  }\n\n  hasSanitization(content: string): boolean {\n    return content.includes('DOMPurify') || content.includes('sanitize');\n  }\n}\n```\n\n### 2. Framework-Specific Detection\n\n```typescript\nclass ReactXSSScanner {\n  scanReactComponent(code: string): XSSFinding[] {\n    const findings: XSSFinding[] = [];\n\n    // Check for unsafe React patterns\n    const unsafePatterns = [\n      'dangerouslySetInnerHTML',\n      'createMarkup',\n      'rawHtml'\n    ];\n\n    unsafePatterns.forEach(pattern => {\n      if (code.includes(pattern) && !code.includes('DOMPurify')) {\n        findings.push({\n          severity: 'high',\n          type: 'React XSS risk',\n          description: `Pattern ${pattern} used without sanitization`,\n          fix: 'Apply proper HTML sanitization'\n        });\n      }\n    });\n\n    return findings;\n  }\n}\n\nclass VueXSSScanner {\n  scanVueTemplate(template: string): XSSFinding[] {\n    const findings: XSSFinding[] = [];\n\n    if (template.includes('v-html')) {\n      findings.push({\n        severity: 'high',\n        type: 'Vue HTML injection',\n        description: 'v-html directive renders raw HTML',\n        fix: 'Use v-text for plain text or sanitize HTML'\n      });\n    }\n\n    return findings;\n  }\n}\n```\n\n### 3. Secure Coding Examples\n\n```typescript\nclass SecureCodingGuide {\n  getSecurePattern(vulnerability: string): string {\n    const patterns = {\n      html_manipulation: `\n// SECURE: Use textContent for plain text\nelement.textContent = userInput;\n\n// SECURE: Sanitize HTML when needed\nimport DOMPurify from 'dompurify';\nconst clean = DOMPurify.sanitize(userInput);\nelement.innerHTML = clean;`,\n\n      url_handling: `\n// SECURE: Validate and sanitize URLs\nfunction sanitizeURL(url: string): string {\n  try {\n    const parsed = new URL(url);\n    if (['http:', 'https:'].includes(parsed.protocol)) {\n      return parsed.href;\n    }\n  } catch {}\n  return '#';\n}`,\n\n      react_rendering: `\n// SECURE: Sanitize before rendering\nimport DOMPurify from 'dompurify';\n\nconst Component = ({ html }) => (\n  <div dangerouslySetInnerHTML={{\n    __html: DOMPurify.sanitize(html)\n  }} />\n);`\n    };\n\n    return patterns[vulnerability] || 'No secure pattern available';\n  }\n}\n```\n\n### 4. Automated Scanning Integration\n\n```bash\n# ESLint with security plugin\nnpm install --save-dev eslint-plugin-security\neslint . --plugin security\n\n# Semgrep for XSS patterns\nsemgrep --config=p/xss --json\n\n# Custom XSS scanner\nnode xss-scanner.js --path=src --format=json\n```\n\n### 5. Report Generation\n\n```typescript\nclass XSSReportGenerator {\n  generateReport(findings: XSSFinding[]): string {\n    const grouped = this.groupBySeverity(findings);\n\n    let report = '# XSS Vulnerability Scan Report\\n\\n';\n    report += `Total Findings: ${findings.length}\\n\\n`;\n\n    for (const [severity, issues] of Object.entries(grouped)) {\n      report += `## ${severity.toUpperCase()} (${issues.length})\\n\\n`;\n\n      for (const issue of issues) {\n        report += `- **${issue.type}**\\n`;\n        report += `  File: ${issue.file}:${issue.line}\\n`;\n        report += `  Fix: ${issue.fix}\\n\\n`;\n      }\n    }\n\n    return report;\n  }\n\n  groupBySeverity(findings: XSSFinding[]): Record<string, XSSFinding[]> {\n    return findings.reduce((acc, finding) => {\n      if (!acc[finding.severity]) acc[finding.severity] = [];\n      acc[finding.severity].push(finding);\n      return acc;\n    }, {} as Record<string, XSSFinding[]>);\n  }\n}\n```\n\n### 6. Prevention Checklist\n\n**HTML Manipulation**\n- Never use innerHTML with user input\n- Prefer textContent for text content\n- Sanitize with DOMPurify before rendering HTML\n- Avoid document.write entirely\n\n**URL Handling**\n- Validate all URLs before assignment\n- Block javascript: and data: protocols\n- Use URL constructor for validation\n- Sanitize href attributes\n\n**Event Handlers**\n- Use addEventListener instead of inline handlers\n- Sanitize all event handler input\n- Avoid string-to-code patterns\n\n**Framework-Specific**\n- React: Sanitize before using unsafe APIs\n- Vue: Prefer v-text over v-html\n- Angular: Use built-in sanitization\n- Avoid bypassing framework security features\n\n## Output Format\n\n1. **Vulnerability Report**: Detailed findings with severity levels\n2. **Risk Analysis**: Impact assessment for each vulnerability\n3. **Fix Recommendations**: Secure code examples\n4. **Sanitization Guide**: DOMPurify usage patterns\n5. **Prevention Checklist**: Best practices for XSS prevention\n\nFocus on identifying XSS attack vectors, providing actionable fixes, and establishing secure coding patterns.\n\n## Limitations\n- Use this skill only when the task clearly matches the scope described above.\n- Do not treat the output as a substitute for environment-specific validation, testing, or expert review.\n- Stop and ask for clarification if required inputs, permissions, safety boundaries, or success criteria are missing.","tags":["frontend","mobile","security","xss","scan","antigravity","awesome","skills","sickn33","agent-skills","agentic-skills","ai-agent-skills"],"capabilities":["skill","source-sickn33","skill-frontend-mobile-security-xss-scan","topic-agent-skills","topic-agentic-skills","topic-ai-agent-skills","topic-ai-agents","topic-ai-coding","topic-ai-workflows","topic-antigravity","topic-antigravity-skills","topic-claude-code","topic-claude-code-skills","topic-codex-cli","topic-codex-skills"],"categories":["antigravity-awesome-skills"],"synonyms":[],"warnings":[],"endpointUrl":"https://skills.sh/sickn33/antigravity-awesome-skills/frontend-mobile-security-xss-scan","protocol":"skill","transport":"skills-sh","auth":{"type":"none","details":{"cli":"npx skills add sickn33/antigravity-awesome-skills","source_repo":"https://github.com/sickn33/antigravity-awesome-skills","install_from":"skills.sh"}},"qualityScore":"0.700","qualityRationale":"deterministic score 0.70 from registry signals: · indexed on github topic:agent-skills · 34793 github stars · SKILL.md body (9,296 chars)","verified":false,"liveness":"unknown","lastLivenessCheck":null,"agentReviews":{"count":0,"score_avg":null,"cost_usd_avg":null,"success_rate":null,"latency_p50_ms":null,"narrative_summary":null,"summary_updated_at":null},"enrichmentModel":"deterministic:skill-github:v1","enrichmentVersion":1,"enrichedAt":"2026-04-24T00:50:59.899Z","embedding":null,"createdAt":"2026-04-18T21:37:41.655Z","updatedAt":"2026-04-24T00:50:59.899Z","lastSeenAt":"2026-04-24T00:50:59.899Z","tsv":"'-79':338,397,454 '-8':245 '1':175,304,366,425,885 '2':483,893 '3':577,901 '4':667,907 '5':705,913 '6':790 'acc':773,776,778,780,785 'action':928 'addeventlisten':838 'altern':394 'analysi':186,895 'analyz':24,59 'angular':27,62,872 'api':862 'appli':387,529 'argument':173 'ask':968 'assess':897 'assign':439,821 'async':220 'attack':925 'attribut':834 'autom':668 'avail':666 'avoid':812,848,878 'await':228,241 'awar':164 'bash':671 'best':94,916 'block':822 'boolean':460,477 'boundari':976 'built':875 'built-in':874 'bypass':879 'catch':640 'check':498 'checklist':97,792,915 'clarif':970 'class':210,489,535,582,709 'clean':610,614 'clear':943 'client':142 'client-sid':141 'code':31,41,66,88,104,121,144,202,312,375,432,443,492,579,852,905,933 'code.includes':511,513 'codebas':180 'compon':382,653 'comprehens':136 'config':693 'const':226,231,235,239,258,285,288,347,350,406,409,461,495,503,541,588,609,628,652,715,734,746 'constructor':829 'content':240,249,255,264,268,272,276,282,344,361,403,475,805 'content.includes':479,481 'content.split':290,352,411 'context':132,163 'context-awar':162 'control':317 'creat':322,383 'createmarkup':506 'criteria':979 'critic':195,306 'cross':16,51 'cross-sit':15,50 'custom':696 'cwe':208,336,337,395,396,452,453 'danger':146,359 'dangerouslysetinnerhtml':505,656 'data':318,825 'describ':947 'descript':204,314,377,434,522,556 'detail':888 'detect':21,56,165,178,487 'detecthtmlmanipul':279 'detectreactvulner':341 'detecturlvulner':400 'dev':680 'differ':125 'direct':560 'div':655 'document.write':216,813 'dom':72 'domain':126 'dompurifi':334,480,514,606,608,649,651,808,910 'dompurify.sanitize':388,611,658 'element.innerhtml':613 'element.textcontent':598 'enforc':448 'entir':814 'environ':959 'environment-specif':958 'eslint':672,682,685 'eslint-plugin-secur':681 'establish':931 'event':835,845 'exampl':580,906 'execut':441 'expert':964 'featur':882 'file':190,227,236,238,243,248,280,301,342,363,401,422,754 'filepath':253,263,267,271,275 'find':232,251,259,278,286,340,348,399,407,456,496,534,542,576,712,718,729,766,774,783,889 'finding.severity':777,779,781 'findings.length':730 'findings.push':246,261,265,269,273,300,362,421,515,549 'findings.reduce':772 'fix':206,325,386,444,528,564,759,902,929 'focus':13,48,160,921 'format':703,884 'formdata':468 'framework':168,485,855,880 'framework-specif':167,484,854 'frontend':2,10,40,45,87,103,120 'frontend-mobile-security-xss-scan':1 'fs.readfile':242 'function':622 'generat':707 'generatereport':711 'getsecurepattern':584 'group':716,739 'groupbysever':765 'guid':909 'guidanc':93 'handl':153,616,816 'handler':836,842,846 'hassanit':474 'hasuserinput':457 'high':196,368,427,517,551 'href':833 'html':150,309,320,372,379,531,548,554,559,563,574,590,602,654,657,659,793,811,871 'http':634 'http/https':449 'https':635 'identifi':33,68,145,923 'impact':896 'import':605,648 'improp':75,156 'includ':636 'index':294,303,356,365,415,424 'indic':462,471,473 'indicators.some':470 'inject':34,69,430,555 'inlin':841 'innerhtml':214,297,797 'input':158,436,467,800,847,973 'insertadjacenthtml':217 'instal':677 'instead':839 'instruct':174 'integr':670 'interfac':188 'issu':154,736,747,749 'issue.file':755 'issue.fix':760 'issue.line':756 'issue.type':751 'issues.length':742 'javascript':30,65,823 'json':695,704 'let':719 'level':892 'librari':335 'like':148 'limit':935 'line':192,289,293,299,302,351,355,364,410,414,420,423,458 'line.includes':296,358,417,472 'line.trim':313,376,433 'lines.foreach':292,354,413 'locat':418 'location.href':218 'low':198 'malici':442 'manipul':73,151,310,321,591,794 'match':944 'medium':197 'miss':981 'mobil':3 'n':291,353,412,725,726,731,732,743,744,752,757,761,762 'need':92,123,135,604 'never':795 'new':630 'node':699 'npm':676 'number':193 'object.entries':738 'outerhtml':215 'output':883,953 'outsid':129 'p/xss':694 'param':465 'pars':629 'parsed.href':639 'parsed.protocol':637 'path':222,230,701 'pattern':147,171,502,509,512,523,524,589,661,665,691,853,912,934 'permiss':974 'plain':329,570,596 'plugin':675,683,686 'poi':35 'point':70 'practic':95,917 'prefer':801,864 'prevent':23,58,791,914,920 'privat':212 'promis':224 'prop':463 'proper':530 'protocol':450,826 'provid':927 'push':782 'queri':466 'raw':562 'rawhtml':507 'react':25,60,370,381,501,519,642,857 'reactxssscann':490 'recommend':903 'record':768,787 'render':159,373,390,561,643,647,810 'report':706,720,724,727,740,750,753,758,764,887 'requir':172,972 'return':250,277,339,398,455,469,478,533,575,638,641,660,763,771,784 'review':965 'risk':324,521,894 'safe':393 'safeti':975 'sanit':76,332,482,527,532,573,601,620,645,806,832,843,858,877,908 'sanitizeurl':623 'save':679 'save-dev':678 'scan':6,139,179,669,723 'scandirectori':221 'scanfil':252 'scanner':38,85,101,118,698 'scanreactcompon':491 'scanvuetempl':537 'scope':131,946 'script':18,53 'secur':4,11,46,170,578,592,600,617,644,664,674,684,687,881,904,932 'securecodingguid':583 'semgrep':688,692 'sever':194,305,367,426,516,550,735,891 'severity.touppercase':741 'side':143 'site':17,52 'skill':79,109,938 'skill-frontend-mobile-security-xss-scan' 'source-sickn33' 'specialist':12,47 'specif':169,486,856,960 'src':702 'state':464 'static':185 'stop':966 'string':191,200,203,205,207,209,223,254,256,281,283,343,345,402,404,459,476,493,539,586,587,625,626,714,769,788,850 'string-to-cod':849 'substitut':956 'success':978 'task':89,112,942 'templat':538 'template.includes':545 'test':962 'text':330,568,571,597,804,867 'textcont':327,594,802 'this.detecteventhandlerissues':274 'this.detecthtmlmanipulation':262 'this.detectreactvulnerabilities':266 'this.detecturlvulnerabilities':270 'this.findjavascriptfiles':229 'this.groupbyseverity':717 'this.hassanitization':360 'this.hasuserinput':298,419 'this.scanfile':247 'tool':128 'topic-agent-skills' 'topic-agentic-skills' 'topic-ai-agent-skills' 'topic-ai-agents' 'topic-ai-coding' 'topic-ai-workflows' 'topic-antigravity' 'topic-antigravity-skills' 'topic-claude-code' 'topic-claude-code-skills' 'topic-codex-cli' 'topic-codex-skills' 'total':728 'treat':951 'tri':627 'type':199,307,369,428,518,552 'typescript':187,488,581,708 'unrel':114 'unsaf':71,149,308,371,500,861 'unsafepattern':504 'unsafepatterns.foreach':508 'unsanit':378 'url':152,429,438,446,615,621,624,631,632,815,819,828 'usag':911 'use':77,107,184,326,392,525,565,593,796,827,837,860,873,936 'user':134,157,316,435,799 'user-control':315 'userinput':599,612 'utf':244 'v':547,558,567,866,870 'v-html':546,557,869 'v-text':566,865 'valid':445,618,817,831,961 'vanilla':29,64 'vector':926 'vue':26,61,553,863 'vuexssscann':536 'vulner':20,37,55,84,100,117,138,177,183,201,311,374,385,431,585,662,722,886,900 'vulnerablepattern':213 'window.open':219 'without':526 'work':81 'workflow':91 'xss':5,19,36,54,83,99,116,137,176,182,323,384,520,690,697,721,919,924 'xss-scanner.js':700 'xssfind':189,225,233,257,260,284,287,346,349,405,408,494,497,540,543,713,767,770,789 'xssreportgener':710 'xssscanner':211","prices":[{"id":"791ce84f-29ed-40a6-bd55-35e2cf52785d","listingId":"d593e019-9000-419c-b274-d9dcd79ea4ec","amountUsd":"0","unit":"free","nativeCurrency":null,"nativeAmount":null,"chain":null,"payTo":null,"paymentMethod":"skill-free","isPrimary":true,"details":{"org":"sickn33","category":"antigravity-awesome-skills","install_from":"skills.sh"},"createdAt":"2026-04-18T21:37:41.655Z"}],"sources":[{"listingId":"d593e019-9000-419c-b274-d9dcd79ea4ec","source":"github","sourceId":"sickn33/antigravity-awesome-skills/frontend-mobile-security-xss-scan","sourceUrl":"https://github.com/sickn33/antigravity-awesome-skills/tree/main/skills/frontend-mobile-security-xss-scan","isPrimary":false,"firstSeenAt":"2026-04-18T21:37:41.655Z","lastSeenAt":"2026-04-24T00:50:59.899Z"}],"details":{"listingId":"d593e019-9000-419c-b274-d9dcd79ea4ec","quickStartSnippet":null,"exampleRequest":null,"exampleResponse":null,"schema":null,"openapiUrl":null,"agentsTxtUrl":null,"citations":[],"useCases":[],"bestFor":[],"notFor":[],"kindDetails":{"org":"sickn33","slug":"frontend-mobile-security-xss-scan","github":{"repo":"sickn33/antigravity-awesome-skills","stars":34793,"topics":["agent-skills","agentic-skills","ai-agent-skills","ai-agents","ai-coding","ai-workflows","antigravity","antigravity-skills","claude-code","claude-code-skills","codex-cli","codex-skills","cursor","cursor-skills","developer-tools","gemini-cli","gemini-skills","kiro","mcp","skill-library"],"license":"mit","html_url":"https://github.com/sickn33/antigravity-awesome-skills","pushed_at":"2026-04-24T00:28:59Z","description":"Installable GitHub library of 1,400+ agentic skills for Claude Code, Cursor, Codex CLI, Gemini CLI, Antigravity, and more. Includes installer CLI, bundles, workflows, and official/community skill collections.","skill_md_sha":"220102acb1d6f25dff1605018542e8271068ceb6","skill_md_path":"skills/frontend-mobile-security-xss-scan/SKILL.md","default_branch":"main","skill_tree_url":"https://github.com/sickn33/antigravity-awesome-skills/tree/main/skills/frontend-mobile-security-xss-scan"},"layout":"multi","source":"github","category":"antigravity-awesome-skills","frontmatter":{"name":"frontend-mobile-security-xss-scan","description":"You are a frontend security specialist focusing on Cross-Site Scripting (XSS) vulnerability detection and prevention. Analyze React, Vue, Angular, and vanilla JavaScript code to identify injection poi"},"skills_sh_url":"https://skills.sh/sickn33/antigravity-awesome-skills/frontend-mobile-security-xss-scan"},"updatedAt":"2026-04-24T00:50:59.899Z"}}