Can it help with backend sanitization?

While focused on the web, it includes patterns for server-side sanitization using libraries like Bleach for Python and specialized Node.js encoding classes.

What XSS attack vectors are covered?

The skill provides defenses for Reflected XSS, Stored XSS, DOM-based XSS, and Mutation XSS through a combination of encoding, sanitization, and architectural shifts.

Does this skill provide Content Security Policy (CSP) templates?

Yes, it includes ready-to-use CSP configurations for Express middleware, including nonce-based script protection and strict source directives.

How does this skill help prevent XSS in React applications?

It provides standardized patterns for using DOMPurify with dangerouslySetInnerHTML, implement secure URL handling, and identifies unsafe DOM manipulation habits.

Does it follow OWASP standards?

Yes, the implementation patterns are aligned with the OWASP XSS Prevention Cheat Sheet and industry-standard secure coding practices.

XSS Security & Prevention

Name: XSS Security & Prevention
Author: secondsky

bysecondsky

•

安全与测试

Implements robust cross-site scripting (XSS) protections through advanced input sanitization, output encoding, and secure Content Security Policy configurations.

This skill provides comprehensive guidance and implementation patterns for securing web applications against Cross-Site Scripting (XSS) attacks. It equips Claude with the ability to automatically apply context-specific output encoding, configure DOMPurify for rich-text sanitization, and generate strict Content Security Policy (CSP) headers. Whether you are building comment systems, handling user-generated content, or remediating DOM-based vulnerabilities, this skill ensures your code adheres to OWASP best practices and modern secure coding standards across frameworks like Node.js, React, and Python.

主要功能

0121 GitHub stars

02URL protocol validation to prevent javascript: pseudo-protocol injections

03Strict Content Security Policy (CSP) header generation and nonce management

04Advanced DOMPurify integration for safe rich-text rendering with allowlists

05Context-specific output encoding for HTML, attributes, and JavaScript contexts

06Identification and replacement of dangerous DOM APIs with safe alternatives

使用场景

01Implementing safe rich-text editors and dynamic HTML rendering

02Remediating reflected, stored, and DOM-based XSS vulnerabilities in legacy code

03Securing user-generated content in comment systems or social feeds

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add secondsky/claude-skills xss-prevention

For use in Claude.ai and ChatGPT

Download Skill