dangerous xss unsanitized input

[Abhigyan2005]

Description

This PR introduces a security checker named dangerous_xss_unsanitized_input to detect dangerous DOM manipulation in javascript code. Directly assigning unsanitized user input to DOM properties (such as innerHTML or outerHTML) or using document.write can lead to cross-site scripting (XSS) vulnerabilities. This checker helps in preventing XSS.

Detection Logic

• DOM Assignment: Flags direct assignments of unsanitized input to innerHTML or outerHTML.
• Document Write: Flags document.write or document.writeln calls with unsanitized input.
• HTML Concatenation: Flags when unsanitized user input is concatenated into HTML strings before being inserted into the DOM.
• Contextual Exclusion: Excludes detections inside catch blocks to avoid false positives.

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

1 Skipped Deployment

Name	Status	Preview	Comments	Updated (UTC)
globstar	⬜️ Ignored (Inspect)	Visit Preview		Mar 11, 2025 6:02pm

[sanket-deepsource]

The tests are failing with this message:

invalid rule 'dangerous_xss_unsanitized_input.yml': invalid node type 'argument_list' at line 15 column 0

I'd recommend running globstar test locally to see if all the checkers are running as expected and the test cases are raising errors as expected.

[Abhigyan2005]

Hi sanket,
I've made the required changes and tested it locally and it seems to working well. I've also added some more checkers to detect some more potentially dangerous DOM manipulations.
please have a look at the updated code.

[sanket-deepsource]

Adding @sourya-deepsource here to help with the review.