Can it help with backend sanitization?

While focused on the web, it includes patterns for server-side sanitization using libraries like Bleach for Python and specialized Node.js encoding classes.

What XSS attack vectors are covered?

The skill provides defenses for Reflected XSS, Stored XSS, DOM-based XSS, and Mutation XSS through a combination of encoding, sanitization, and architectural shifts.

Does this skill provide Content Security Policy (CSP) templates?

Yes, it includes ready-to-use CSP configurations for Express middleware, including nonce-based script protection and strict source directives.

How does this skill help prevent XSS in React applications?

It provides standardized patterns for using DOMPurify with dangerouslySetInnerHTML, implement secure URL handling, and identifies unsafe DOM manipulation habits.

Does it follow OWASP standards?

Yes, the implementation patterns are aligned with the OWASP XSS Prevention Cheat Sheet and industry-standard secure coding practices.

XSS Security & Prevention

Name: XSS Security & Prevention
Author: secondsky

bysecondsky

•

Seguridad y Pruebas

Implements robust cross-site scripting (XSS) protections through advanced input sanitization, output encoding, and secure Content Security Policy configurations.

Acerca de

This skill provides comprehensive guidance and implementation patterns for securing web applications against Cross-Site Scripting (XSS) attacks. It equips Claude with the ability to automatically apply context-specific output encoding, configure DOMPurify for rich-text sanitization, and generate strict Content Security Policy (CSP) headers. Whether you are building comment systems, handling user-generated content, or remediating DOM-based vulnerabilities, this skill ensures your code adheres to OWASP best practices and modern secure coding standards across frameworks like Node.js, React, and Python.

Características Principales

21 GitHub stars
URL protocol validation to prevent javascript: pseudo-protocol injections
Strict Content Security Policy (CSP) header generation and nonce management
Advanced DOMPurify integration for safe rich-text rendering with allowlists
Context-specific output encoding for HTML, attributes, and JavaScript contexts
Identification and replacement of dangerous DOM APIs with safe alternatives

Casos de Uso

Implementing safe rich-text editors and dynamic HTML rendering
Remediating reflected, stored, and DOM-based XSS vulnerabilities in legacy code
Securing user-generated content in comment systems or social feeds

Acerca de

Características Principales

21 GitHub stars
URL protocol validation to prevent javascript: pseudo-protocol injections
Strict Content Security Policy (CSP) header generation and nonce management
Advanced DOMPurify integration for safe rich-text rendering with allowlists
Context-specific output encoding for HTML, attributes, and JavaScript contexts
Identification and replacement of dangerous DOM APIs with safe alternatives

Casos de Uso

Implementing safe rich-text editors and dynamic HTML rendering
Remediating reflected, stored, and DOM-based XSS vulnerabilities in legacy code
Securing user-generated content in comment systems or social feeds