sast-xss
Detects Cross-Site Scripting (XSS) vulnerabilities in codebases using a structured three-phase approach for security assessments.
Install this skill
Security score
The sast-xss skill was audited on Jun 6, 2026 and we found 15 security issues across 3 threat categories, including 2 critical. Review the findings below before installing.
Categories Tested
Security Issues
Eval function call - arbitrary code execution
| 60 | - `eval(var)` |
Eval function call - arbitrary code execution
| 270 | eval(event.data); |
Eval function call - arbitrary code execution
| 400 | > - `eval(var)` |
Template literal with variable interpolation in command context
| 40 | - Java/JSP: `<%= var %>`, `${var}` without `<c:out>` or `fn:escapeXml()` |
Template literal with variable interpolation in command context
| 41 | - Java/Thymeleaf: `th:utext="${var}"` (unescaped), `[(${var})]` |
Template literal with variable interpolation in command context
| 95 | ``` |
Template literal with variable interpolation in command context
| 125 | ```java |
Template literal with variable interpolation in command context
| 224 | res.send(`<h1>Results for: ${query}</h1>`); |
Template literal with variable interpolation in command context
| 231 | res.send(`<h1>Results for: ${escapeHtml(query)}</h1>`); |
Template literal with variable interpolation in command context
| 325 | ```jsp |
Template literal with variable interpolation in command context
| 377 | > - Thymeleaf: `th:utext="${var}"`, `[(${var})]` |
Template literal with variable interpolation in command context
| 535 | > - **Taint trace**: [Step-by-step from source to sink — e.g., "req.query.q → query → `<h1>${query}</h1>` → res.send()"] |
Curl to non-GitHub URL
| 542 | > Example: curl "https://app.example.com/search?q=<script>alert(1)</script>" |
External URL reference
| 542 | > Example: curl "https://app.example.com/search?q=<script>alert(1)</script>" |
External URL reference
| 543 | > Or: Visit https://app.example.com/#<img src=x onerror=alert(1)> and observe alert box] |