Plugin: browser-security
Overview
XSS, cookie, and DOM security rules for client-side JavaScript
Live from GitHub
This content is fetched directly from README.md on GitHub and cached for 1 hour.
AI-Optimized Security
Every rule includes CWE, OWASP, and CVSS metadata for AI assistants to provide precise, context-aware fixes.
Live README from GitHubfrom eslint-plugin-browser-security/README.md, cached for 1 hour.Edit on GitHub
Browser-specific security rules to prevent XSS and other client-side attacks.
โญ If this plugin caught a real bug for you, star the repo โ it's the signal that keeps these rules maintained.
Description
This plugin provides Browser-specific security rules to prevent XSS and other client-side attacks.
Philosophy
Interlace fosters strength through integration. Instead of stacking isolated rules, we interlace security directly into your workflow to create a resilient fabric of code. We believe tools should guide rather than gatekeep, providing educational feedback that strengthens the developer with every interaction.
Getting Started
- To check out the guide, visit eslint.interlace.tools. ๐
- ่ฆๆฅ็ไธญๆ ๆๅ, ่ฏท่ฎฟ้ฎ eslint.interlace.tools. ๐
- ๊ฐ์ด๋ ๋ฌธ์๋ eslint.interlace.tools์์ ํ์ธํ์ค ์ ์์ต๋๋ค. ๐
- ใฌใคใใฏ eslint.interlace.toolsใงใ็ขบ่ชใใ ใใใ ๐
- Para ver la guรญa, visita eslint.interlace.tools. ๐
- ููุงุทูุงุน ุนูู ุงูุฏูููุ ูู ุจุฒูุงุฑุฉ eslint.interlace.tools. ๐
npm install eslint-plugin-browser-security --save-devโ๏ธ Configuration Presets
| Preset | Description |
|---|---|
recommended | Recommended security configuration |
strict | Strict security configuration - all rules as errors |
๐ค LLM-Optimized Messages
All rules include structured remediation guidance designed for AI assistants:
[browser-security/no-innerhtml] XSS vulnerability: Direct HTML assignment detected.
๐ CONTEXT:
โข Pattern: element.innerHTML = unsanitizedInput
โข Risk: Any script in unsanitizedInput will execute
๐ ๏ธ REMEDIATION:
Option A (Preferred): Use textContent for plain text
element.textContent = userInput;
Option B: Sanitize before insertion
element.innerHTML = DOMPurify.sanitize(userInput);
๐ References:
โข CWE-79: https://cwe.mitre.org/data/definitions/79.html
โข OWASP XSS Prevention: https://owasp.org/...By providing this structured context (CWE, OWASP, Fix), we enable AI tools to reason about the security flaw rather than hallucinating. This allows Copilot/Cursor to suggest the exact correct fix immediately.
๐ก What You Get
- 21 security rules targeting browser-specific vulnerabilities
- XSS prevention via DOM manipulation and dynamic content detection
- Storage security preventing sensitive data exposure in localStorage/sessionStorage/IndexedDB
- Cross-origin protection with postMessage origin validation
- LLM-optimized messages with CWE references and auto-fix suggestions
- OWASP Top 10 coverage for browser security patterns
๐ฏ Why This Plugin?
Modern browser applications face unique security challenges across storage APIs, cross-origin communication, and dynamic content rendering. This plugin provides static analysis rules specifically designed for browser security patterns:
- XSS Prevention: Detects dangerous DOM manipulation patterns
- Storage Security: Prevents sensitive data exposure in localStorage/sessionStorage/IndexedDB
- Cross-Origin Protection: Validates postMessage origin checks
- Cookie Security: Identifies insecure cookie handling in JavaScript
- LLM-Optimized: All rules include AI-friendly remediation guidance
๐ Detection Examples
โ Vulnerable Code
// XSS via innerHTML
element.innerHTML = userInput;
// Code injection via eval
eval(dynamicCode);
// JWT in localStorage (XSS can steal it)
localStorage.setItem('token', jwt);
// postMessage without origin check
window.addEventListener('message', (event) => {
processData(event.data); // Anyone can send messages!
});โ Secure Code
// Safe text assignment
element.textContent = userInput;
// Or sanitize before HTML insertion
element.innerHTML = DOMPurify.sanitize(userInput);
// Use HttpOnly cookies for auth tokens (set by server)
// Server: Set-Cookie: token=xxx; HttpOnly; Secure; SameSite=Strict
// Origin validation
window.addEventListener('message', (event) => {
if (event.origin !== 'https://trusted-domain.com') return;
processData(event.data);
});๐ฆ Compatibility
| Package | Version |
|---|---|
| ESLint | ^8.0.0 || ^9.0.0 || ^10.0.0 |
| Node.js | >=18.0.0 |
See the ESLint Version Support Policy โ current ecosystem share data, the 20% gate, and the forward-looking exception that covers v10.
Rules
Legend
| Icon | Description |
|---|---|
| ๐ผ | Recommended: Included in the recommended preset. |
| โ ๏ธ | Warns: Set to warn in recommended preset. |
| ๐ง | Auto-fixable: Automatically fixable by the --fix CLI option. |
| ๐ก | Suggestions: Providing code suggestions in IDE. |
| ๐ซ | Deprecated: This rule is deprecated. |
| ๐ข | Type-unaware: AST-only, runs in oxlint JS-plugin tier. |
| ๐ก | Type-aware (refining): pure-AST primary path; types refine precision. |
| ๐ | Type-aware (graceful): requires TS program; silent without it. |
| Rule | CWE | OWASP | CVSS | Description | ๐ง | ๐ผ | โ ๏ธ | ๐ง | ๐ก | ๐ซ |
|---|---|---|---|---|---|---|---|---|---|---|
| detect-mixed-content | CWE-311 | Detects HTTP URLs in code that should use HTTPS, preventing mixed content vulnerabilities. | ๐ข | |||||||
| no-allow-arbitrary-loads | CWE-295 | Prevents disabling App Transport Security (ATS) by detecting allowArbitraryLoads: true in configuration. | ๐ข | |||||||
| no-clickjacking | CWE-1021 | Detects clickjacking vulnerabilities and missing frame protections | ๐ข | |||||||
| no-client-side-auth-logic | Prevent client-side authentication logic that can be bypassed. This rule is part of eslint-plugin-browser-sโฆ | ๐ข | ||||||||
| no-cookie-auth-tokens | CWE-1004 | A02:2021 | Prevent storing authentication tokens in JavaScript-accessible cookies. | ๐ข | ||||||
| no-credentials-in-query-params | CWE-598 | CWE: CWE-598 | ๐ข | |||||||
| no-disabled-certificate-validation | CWE-295 | CWE: CWE-295 | ๐ข | |||||||
| no-dynamic-service-worker-url | CWE-829 | A08:2021 | Prevent dynamic URLs in service worker registration. | ๐ข | ||||||
| no-eval | CWE-94 | Detects dangerous eval() and similar code execution patterns | ๐ข | ๐ผ | ||||||
| no-filereader-innerhtml | CWE-693 | A03:2021 | The rule provides LLM-optimized error messages (Compact 2-line format) with actionable security guidance: | ๐ข | ||||||
| no-http-urls | CWE-319 | CWE: CWE-319 | ๐ข | |||||||
| no-innerhtml | CWE-79 | Detects dangerous innerHTML/outerHTML assignments that can lead to Cross-Site Scripting (XSS) | ๐ข | ๐ผ | ||||||
| no-insecure-redirects | CWE-601 | ESLint Rule: no-insecure-redirects | ๐ข | |||||||
| no-insecure-websocket | CWE-319 | CWE: CWE-319 | ๐ข | |||||||
| no-jwt-in-storage | CWE-311 | A02:2021 | This rule prevents storing JWT tokens in browser storage (localStorage/sessionStorage) | ๐ข | ||||||
| no-missing-cors-check | CWE-346 | Detects missing CORS validation (wildcard CORS, missing origin check) that can allow unauthorized cross-oriโฆ | ๐ข | |||||||
| no-missing-csrf-protection | CWE-352 | Detects missing CSRF token validation in POST/PUT/DELETE requests | ๐ข | |||||||
| no-missing-security-headers | CWE-693 | ESLint Rule: no-missing-security-headers | ๐ข | |||||||
| no-password-in-url | CWE-521 | This rule detects when URLs contain password-related query parameters or URL fragments | ๐ข | |||||||
| no-permissive-cors | CWE-942 | CWE: CWE-942 | ๐ข | |||||||
| no-postmessage-innerhtml | CWE-693 | A03:2021 | The rule provides LLM-optimized error messages (Compact 2-line format) with actionable security guidance: | ๐ข | ||||||
| no-postmessage-wildcard-origin | CWE-693 | A01:2021 | This rule prevents using \"\" as the targetOrigin parameter in postMessage() calls | ๐ข | ||||||
| no-sensitive-cookie-js | CWE-359 | A02:2021 | The rule provides LLM-optimized error messages (Compact 2-line format) with actionable security guidance: | ๐ข | ||||||
| no-sensitive-data-in-analytics | CWE-359 | This rule detects when sensitive user data (email, SSN, credit card, password, phone, address) is passed toโฆ | ๐ข | |||||||
| no-sensitive-data-in-cache | CWE-200 | CWE: CWE-200 | ๐ข | |||||||
| no-sensitive-indexeddb | CWE-922 | A02:2021 | Prevent storing sensitive data in IndexedDB. | ๐ข | ||||||
| no-sensitive-localstorage | CWE-922 | Detects storage of sensitive data (tokens, passwords, PII) in localStorage | ๐ข | |||||||
| no-sensitive-sessionstorage | CWE-922 | A02:2021 | Prevent storing sensitive data in sessionStorage. | ๐ข | ||||||
| no-tracking-without-consent | CWE-359 | CWE: CWE-359 | ๐ข | |||||||
| no-unencrypted-transmission | CWE-319 | Detects unencrypted data transmission (HTTP vs HTTPS, plain text protocols) | ๐ข | |||||||
| no-unescaped-url-parameter | CWE-79 | Detects unescaped URL parameters that can lead to Cross-Site Scripting (XSS) or open redirect vulnerabilities | ๐ข | |||||||
| no-unsafe-eval-csp | CWE-95 | A03:2021 | Disallow 'unsafe-eval' in Content Security Policy directives. | ๐ข | ||||||
| no-unsafe-inline-csp | CWE-79 | A03:2021 | Disallow 'unsafe-inline' in Content Security Policy directives. | ๐ข | ||||||
| no-unvalidated-deeplinks | CWE-939 | This rule detects when deep link URLs are opened without validation in React Native or mobile web apps | ๐ข | |||||||
| no-websocket-eval | CWE-319 | A03:2021 | The rule provides LLM-optimized error messages (Compact 2-line format) with actionable security guidance: | ๐ข | ||||||
| no-websocket-innerhtml | CWE-319 | A03:2021 | The rule provides LLM-optimized error messages (Compact 2-line format) with actionable security guidance: | ๐ข | ||||||
| no-worker-message-innerhtml | CWE-79 | A03:2021 | Disallow using innerHTML with Web Worker message data. | ๐ข | ||||||
| require-blob-url-revocation | CWE-401 | A04:2021 | Require revoking Blob URLs after use to prevent memory leaks. | ๐ข | ||||||
| require-cookie-secure-attrs | CWE-614 | A05:2021 | Require Secure and SameSite attributes on cookies. | ๐ข | ||||||
| require-csp-headers | CWE-1021 | CWE: CWE-1021 | ๐ข | |||||||
| require-https-only | CWE-319 | This rule detects HTTP (unencrypted) URLs in fetch() and axios requests | ๐ข | |||||||
| require-mime-type-validation | CWE-434 | CWE: CWE-434 | ๐ข | |||||||
| require-postmessage-origin-check | CWE-346 | Detects postMessage event handlers without origin validation | ๐ข | |||||||
| require-url-validation | CWE-601 | CWE: CWE-601 | ๐ข | |||||||
| require-websocket-wss | CWE-319 | A02:2021 | This rule enforces the use of wss:// (WebSocket Secure) protocol instead of ws:// (unencrypted WebSocket) | ๐ข |
๐ Related ESLint Plugins
Part of the Interlace ESLint Ecosystem โ AI-native security plugins with LLM-optimized error messages:
| Plugin | Downloads | Description |
|---|---|---|
eslint-plugin-secure-coding |  | General security rules & OWASP guidelines. |
eslint-plugin-pg |  | PostgreSQL security & best practices. |
eslint-plugin-node-security |  | Node.js core-module security (fs, child_process, vm, crypto, Buffer). |
eslint-plugin-jwt |  | JWT security & best practices. |
eslint-plugin-browser-security |  | Browser-specific security & XSS prevention. |
eslint-plugin-express-security |  | Express.js security hardening rules. |
eslint-plugin-lambda-security |  | AWS Lambda security best practices. |
eslint-plugin-nestjs-security |  | NestJS security rules & patterns. |
eslint-plugin-mongodb-security |  | MongoDB security best practices. |
eslint-plugin-vercel-ai-security |  | Vercel AI SDK security hardening. |
eslint-plugin-import-next |  | Next-gen import sorting & architecture. |
โญ Support & follow
If this plugin caught a real bug for you, star the repo โ stars are the signal that keeps the Interlace ESLint ecosystem maintained โ and follow the writeups on Dev.to for the benchmarks and security research behind these rules.
๐ License
MIT ยฉ Ofri Peretz
View README.md on GitHub โ