#CLI Scanner

Kita Html catches unsafe JSX before production through two tools from @kitajs/ts-html-plugin: a TypeScript editor plugin for real-time diagnostics and the xss-scan CLI for project-wide checks in CI.

Both tools report the same TS88601 through TS88604 diagnostics. The editor plugin catches issues while you type. The CLI catches changes from developers without the plugin enabled, or type changes that make a previously safe expression unsafe.

#Editor diagnostics

Add the TypeScript plugin to tsconfig.json:

{
  "compilerOptions": {
    "plugins": [{ "name": "@kitajs/ts-html-plugin" }]
  }
}

Your editor must use the project's local TypeScript installation. In VS Code, set js/ts.tsdk.path to node_modules/typescript/lib and enable js/ts.tsdk.promptToUseWorkspaceVersion.

The plugin works in editors that support TypeScript language service plugins, including VS Code, Neovim with nvim-lspconfig, and JetBrains IDEs. It does not work with tsgo, which does not run TypeScript language service plugins. Build-time compilation with tsgo is unaffected.

#CLI usage

xss-scan [options] [files...]

The command can also be invoked as ts-html-plugin, which is an alias for the same CLI.

When called without file arguments, it scans all files included by the project's tsconfig.json. When file paths are provided, only those files are analyzed.

xss-scan

xss-scan src/pages/login.tsx src/pages/profile.tsx

Options:

Exit codes:

#CI integration

Add the scanner to your test script so it runs before or alongside your test suite.

{
  "scripts": {
    "test": "xss-scan && vitest"
  }
}

In GitHub Actions, run the scanner after installing dependencies:

- name: XSS scan
  run: npx xss-scan