{"id":23435528,"url":"https://github.com/customcommander/xss-lang","last_synced_at":"2025-08-25T23:32:09.010Z","repository":{"id":45932615,"uuid":"280469116","full_name":"customcommander/xss-lang","owner":"customcommander","description":"An experimental grammar for parsing XSS attacks","archived":false,"fork":false,"pushed_at":"2023-07-12T06:36:07.000Z","size":89,"stargazers_count":3,"open_issues_count":1,"forks_count":0,"subscribers_count":2,"default_branch":"master","last_synced_at":"2023-08-04T13:46:37.998Z","etag":null,"topics":["grammar","javascript","nearley","parser","security","xss"],"latest_commit_sha":null,"homepage":"","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/customcommander.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2020-07-17T16:08:27.000Z","updated_at":"2023-08-04T13:46:37.999Z","dependencies_parsed_at":"2022-09-05T16:00:40.797Z","dependency_job_id":null,"html_url":"https://github.com/customcommander/xss-lang","commit_stats":null,"previous_names":[],"tags_count":0,"template":null,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/customcommander%2Fxss-lang","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/customcommander%2Fxss-lang/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/customcommander%2Fxss-lang/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/customcommander%2Fxss-lang/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/customcommander","download_url":"https://codeload.github.com/customcommander/xss-lang/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":230964307,"owners_count":18307466,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["grammar","javascript","nearley","parser","security","xss"],"created_at":"2024-12-23T12:51:48.021Z","updated_at":"2024-12-23T12:51:48.977Z","avatar_url":"https://github.com/customcommander.png","language":"JavaScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"⚠️ _This package is not for production use yet._\n\n# xss-lang\n\nAn experimental grammar for parsing XSS attacks.\n\n## TL; DR\n\nThis package provides a single function for **detecting** (not mitigating) XSS threats in your JavaScript strings:\n\n```javascript\nconst scan = require('@customcommander/xss-lang');\n\nscan(\"\u0026#x6a;\u0026#x61;\u0026#x76;\u0026#x61;\u0026#x73;\u0026#x63;\u0026#x72;\u0026#x69;\u0026#x70;\u0026#x74;:alert('XSS!')\");\n/*\n{ threat: \"js_url\"\n, raw: \"\u0026#x6a;\u0026#x61;\u0026#x76;\u0026#x61;\u0026#x73;\u0026#x63;\u0026#x72;\u0026#x69;\u0026#x70;\u0026#x74;:alert('XSS!')\"\n, found: \"javascript:alert('XSS!')\"\n}\n*/\n```\n\n## Why?\n\nYour web application _will_ be attacked. Period.\n\nWith this parser I wanted to understand the different threats a web application can be exposed to. Knowing what's coming in and out of your application can help you detect and react to potential attacks.\n\n### Example\n\nSay we need to create a function that adds links to a page:\n\n```javascript\nfunction add_link(link) {\n  const p = document.createElement('p');\n  p.innerHTML = `\u003ca href=\"${link}\"\u003eCLICK ME\u003c/a\u003e`;\n  document.body.appendChild(p);\n}\n```\n\nTo add a link to a page we simply need to call the function as such:\n\n```javascript\nadd_link(\"https://example.com\");\n```\n\nHowever the attentive reader will notice that this function is vulnerable to XSS attacks:\n\n```javascript\nadd_link(\"javascript:alert('XSS!')\");\n```\n\nWhen the user clicks on that link, an alert box will be displayed. This example is harmless but it demonstrates that code can be executed with full user privileges. If that code comes from an untrusted source there is a high probability that it will cause some damage.\n\nHere's a naive approach to mitigate this threat:\n\n```javascript\nfunction add_link(link) {\n  if (link.startsWith('javascript:')){\n    return;\n  }\n  const p = document.createElement('p');\n  p.innerHTML = `\u003ca href=\"${link}\"\u003eCLICK ME\u003c/a\u003e`;\n  document.body.appendChild(p);\n}\n```\n\nHowever this will defeat the check yet still allow code to be executed:\n\n```javascript\nadd_link(\"jaVAscRIpt:alert('XSS!')\");\n```\n\nAnd so will this:\n\n```javascript\nadd_link(\"jaVA\u0026#0000009;scRIpt:alert('XSS!')\");\n```\n\nThere's plenty more variations of this than you can handle...\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcustomcommander%2Fxss-lang","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcustomcommander%2Fxss-lang","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcustomcommander%2Fxss-lang/lists"}