XSS Analysis

Estimated reading time: 2 minutes

The XSS analysis engine inspects JSX expressions at the TypeScript type level and emits diagnostics for potentially unsafe content. This engine is shared between the editor plugin and the CLI scanner.

Analysis functions

recursiveDiagnoseJsxElements

Entry point for JSX tree analysis. Walks the AST depth-first and calls diagnoseJsxElement for each JSX node. Deduplicates diagnostics by source position.

diagnoseJsxElement

Analyzes a single JSX element. Checks whether the element has the safe attribute, iterates through JSX expression children, and delegates to diagnoseExpression for each.

Skips <script> elements, which are exempt from analysis.

diagnoseExpression

Analyzes a single expression within JSX children. Unwraps parenthesized expressions, recurses through ternary and binary expressions (checking both branches), and calls isSafeAttribute to determine type safety.

isSafeAttribute

The core type safety check. Returns true if the expression's TypeScript type is safe to render without escaping. The full rule set is documented in the Safety Rules page.

Diagnostic codes

The engine emits four diagnostic codes: TS88601 (unsafe expression), TS88602 (double escaping), TS88603 (component children XSS), and TS88604 (unnecessary safe). Full descriptions with examples are in the Error Codes page.

Component vs element detection

The engine distinguishes native elements from components based on tag name casing. Lowercase names are native elements where the safe attribute works. Uppercase names are components where Html.escapeHtml() is required instead.

#XSS Analysis

#Analysis functions

#recursiveDiagnoseJsxElements

#diagnoseJsxElement

#diagnoseExpression

#isSafeAttribute

#Diagnostic codes

#Component vs element detection