Install command
Not provided
Source-backed rules for reviewing AI-generated code that renders untrusted data into HTML, JavaScript, URLs, or CSS before merge for cross-site scripting risk, covering context-correct output encoding, dangerous DOM sinks, HTML sanitization, and Content-Security-Policy as defense in depth.
Open the source and read safety notes before installing.
Source-backed facts for citing this resource, derived directly from the registry — also available as plain text for AI assistants.
Decision playbook
Signals are present but mixed. Use the checklist below to confirm the source and operational safety for your environment.
0
78
—
No baseline selected
No major trust-signal divergence detected in the current selection.
Confirm ownership and provenance before trusting install instructions.
Source link availableRequired
Open the canonical repository and verify ownership.
Source provenance statusRequired
Marked as source-backed.
Metadata reviewed
Registry metadata indicates a reviewed listing.
Validate risk disclosures before installation or API wiring.
Safety notes presentRequired
Review the listed safety guidance before running commands.
Privacy notes presentRequired
Review data handling notes before connecting accounts or secrets.
Trust level risk gateRequired
Trust level does not block evaluation.
Check package metadata and artifact integrity signals.
Install payload available
Install or copy payload is available for review.
Package verification flag
No package verification flag provided.
Checksum metadata
No checksum provided for downloaded artifact.
Use compare context to validate trade-offs before adoption.
Compare tray has multiple entries
Add at least one more entry to compare trust differences.
Baseline comparison available
No baseline peer selected yet.
Diverging trust signals identified
No major trust-signal divergence found.
Setup at a glance
Copy-ready — paste the snippet to get started.
Install command
Not provided
Config snippet
Not provided
Copy snippet
Provided
Prerequisites
4 to clear
Platforms
1 listed
Install type
Copy & paste
Adoption plan
Current risk score 16/100. Use staged verification before broader rollout.
Validate source and review signals before any execution.
Confirm source provenanceRequired
Source URL/provenance metadata is present.
Confirm metadata review state
Listing has review metadata.
Verify install payload
Install/config payload exists and can be inspected.
Confirm safety, privacy, and package integrity signals.
Review safety notesRequired
Safety notes are present.
Review privacy notesRequired
Privacy notes are present.
Verify package integrity metadata
No package verification/checksum metadata.
Adopt in controlled steps based on the selected plan.
Run in isolated sandbox firstRequired
Use a constrained sandbox and observe behavior across multiple tasks.
Roll out graduallyRequired
Roll out to a small cohort before wider usage.
Set monitoring and fallback
Define rollback path and monitor errors after adoption.
Evidence readiness
Required evidence gates are covered (5/6 signals complete).
Source repository/provenance is listed.
Required in this preset
Review metadata is present.
Required in this preset
Safety notes are present.
Required in this preset
Privacy notes are present.
Optional in this preset
Package integrity metadata is missing.
Optional in this preset
Install payload is available.
Required in this preset
Required evidence gates are covered for this preset.
Decision timeline
5/6 steps complete with no blocking gaps for this preset.
triage
Source/provenance metadata is available.
triage
Review metadata is available.
verify
Safety notes are available.
verify
Privacy notes are available.
verify
Package integrity metadata is missing.
rollout
Install payload is available.
No required blockers for this timeline preset.
Prerequisite readiness
4 prerequisites to line up before setup.
Safety & privacy surface
3 safety and 3 privacy notes across 5 risk areas. Review closely: credentials & tokens, network access, third-party handling.
You are reviewing AI-generated code for cross-site scripting (XSS) risk.
Rules:
1. Identify every place untrusted data flows into HTML, JavaScript, a URL,
or CSS, and confirm each one uses the output encoding for that specific
context — HTML entity encoding, HTML attribute encoding, JavaScript
encoding, URL encoding, or CSS hex encoding are not interchangeable.
2. Flag any use of a dangerous sink — `innerHTML`, `outerHTML`,
`document.write`, `dangerouslySetInnerHTML`, Vue's `v-html`, Angular's
`bypassSecurityTrustAs*`, or string-built `<script>`/`eval` — and require
a safe sink (`textContent`, `setAttribute` on a hardcoded-safe attribute
name, `.value`, framework-default templating) instead, unless the value
first passes through an HTML sanitizer.
3. When a feature genuinely needs to render user-authored HTML (a WYSIWYG
editor, markdown preview), require sanitization with a maintained library
(for example DOMPurify) applied immediately before render, and confirm
the sanitized output is not concatenated with more untrusted data
afterward.
4. Never place untrusted data in a dangerous context that output encoding
cannot make safe: directly inside a `<script>` block, inside an HTML
comment, inside a `<style>` block, as an unquoted attribute value, or as
the tag/attribute name itself.
5. For any URL built from untrusted input, validate the scheme against an
allowlist (`http`/`https` only) before use in `href`, `src`, or a
redirect, since `javascript:` and `data:` URLs execute when navigated or
loaded.
6. Do not treat a Content-Security-Policy header, a WAF, or an input-side
interceptor/filter as the primary defense — require context-correct
output encoding or sanitization at the point of render first, and treat
CSP as an additional layer, not a substitute.Use these rules when an AI coding assistant writes or edits code that renders data of uncertain origin into a page. The goal is to stop a generated component, template, or DOM update from shipping a cross-site scripting hole because it renders correctly for the happy-path input and looks like ordinary UI code.
This is a review policy, not an XSS tutorial. It tells reviewers what must be true about a generated change's encoding, sinks, and sanitization before the change is safe to merge.
Collect enough context to know where untrusted data flows and how it is rendered.
<div>UNTRUSTED</div>): use HTML entity encoding, or a
safe sink such as .textContent.<div attr="UNTRUSTED">): quote the attribute with
" or ', use HTML attribute encoding, and only place untrusted data into
attributes that cannot execute (never onclick, onerror, href with a
javascript: scheme, or similar event/URL attributes without extra
validation).<script> block or event handler by concatenating
untrusted strings into unquoted code.href or src; validate the scheme against an
allowlist before use.element.style.property = value
(a safe sink) over building a <style> block from strings.innerHTML,
outerHTML, insertAdjacentHTML, document.write, document.writeln.dangerouslySetInnerHTML, Vue's v-html, Angular's
bypassSecurityTrustAs* family, and any unsafeHTML/raw-HTML helper..textContent, .setAttribute(name, value) with a hardcoded attribute
name, .value, .className, document.createTextNode.eval, new Function, setTimeout/setInterval called with a
string argument, and any dynamic <script src> built from untrusted input.Content-Security-Policy: require-trusted-types-for 'script') to force
DOM XSS sinks through a vetted policy instead of accepting plain strings.Block merge when any of these is true.
innerHTML, dangerouslySetInnerHTML, v-html,
document.write, or an equivalent sink without prior sanitization.<script> block, an HTML comment, a
<style> block, or an unquoted attribute — a dangerous context that output
encoding cannot fully protect.href, src, or a redirect
without scheme validation, allowing a javascript: or data: URL.AI assistants can write and review rendering code, but they should show their evidence.
</> instead of rendering
markup: that is expected for HTML entity encoding of plain text; if
markup rendering is actually required, sanitize the HTML instead of
switching back to an unsafe sink.innerHTML with raw input.unsafe-inline, and keep pursuing output-side fixes for the underlying
sink.Before adding new HTML-rendering or sanitization logic, confirm the codebase does not already have a shared rendering helper, template component, or sanitizer wrapper that solves this. A generated change that reaches for a raw DOM API or hand-rolled encoding next to an existing safe helper should be treated as suspicious — check whether the existing helper was simply not reused before introducing a second, parallel mechanism.
| Context | Example | Sample Defense |
|---|---|---|
| HTML body | <span>DATA</span> |
HTML entity encoding, or .textContent |
| HTML attribute | <input value="DATA"> |
Quote the attribute, HTML attribute encoding |
| URL / GET parameter | <a href="/search?q=DATA"> |
URL encoding, then HTML attribute encoding |
| JavaScript variable | <script>var x='DATA';</script> |
JavaScript encoding inside an already-quoted value |
| CSS value | <div style="width: DATA;"> |
CSS hex encoding, or element.style.property = x |
| Untrusted HTML | <div>DATA (rich text)</div> |
HTML sanitization (e.g. DOMPurify), not encoding |
| DOM-based | document.write(location.hash) |
Avoid the sink; see the DOM-based XSS cheat sheet |
Show that AI-Generated XSS (Cross-Site Scripting) Review Rules is listed on HeyClaude. Paste this Markdown into your README — it renders the badge and links back to this page.
[](https://heyclau.de/entry/rules/ai-generated-xss-review-rules)AI-Generated XSS (Cross-Site Scripting) Review Rules side by side with 3 alternatives on trust, install, platform support, and disclosed safety notes — all from reviewed registry metadata.
1 trust signal differ across this comparison (Submitter).
| Field | Source-backed rules for reviewing AI-generated code that renders untrusted data into HTML, JavaScript, URLs, or CSS before merge for cross-site scripting risk, covering context-correct output encoding, dangerous DOM sinks, HTML sanitization, and Content-Security-Policy as defense in depth. Open dossier | Source-backed rules for reviewing AI-generated request handlers and forms before merge for cross-site request forgery risk, covering state-changing method discipline, anti-CSRF token correctness, SameSite cookie posture, origin and referer checks, and safe handling of cookie-based sessions. Open dossier | Source-backed rules for reviewing AI-generated endpoints and data-access code before merge for insecure direct object reference risk, covering per-request object-level authorization checks, scoped database lookups, identifier exposure, and consistent enforcement across read, write, and admin operations. Open dossier | Source-backed rules for reviewing AI-generated code that deserializes data before merge for insecure deserialization risk, covering native serialization formats (pickle, PyYAML, Java Serializable) that can execute arbitrary code on untrusted input, safe data-interchange alternatives, and class allowlisting/integrity checks when native formats can't be avoided. Open dossier |
|---|---|---|---|---|
| Next steps | ||||
| Trust | ||||
| Review status | ReviewedMaintainer reviewed | ReviewedMaintainer reviewed | ReviewedMaintainer reviewed | ReviewedMaintainer reviewed |
| Package trust | Package not verified | Package not verified | Package not verified | Package not verified |
| Source provenance | Source-backed | Source-backed | Source-backed | Source-backed |
| SubmitterDiffers | lourincedaging0-commits | jaso0n0818 | lourincedaging0-commits | lourincedaging0-commits |
| Install risk | Review first | Review first | Review first | Review first |
| Notes | Safety ✓ Privacy ✓ | Safety ✓ Privacy ✓ | Safety ✓ Privacy ✓ | Safety ✓ Privacy ✓ |
| Brand | — | — | — | — |
| Category | rules | rules | rules | rules |
| Source | source-backed | source-backed | source-backed | source-backed |
| Author | lourincedaging0-commits | jaso0n0818 | lourincedaging0-commits | lourincedaging0-commits |
| Added | 2026-07-15 | 2026-06-22 | 2026-07-15 | 2026-07-15 |
| Platforms | Claude Code | Claude Code | Claude Code | Claude Code |
| Source repo | — | — | — | — |
| Safety notes | ✓A successful XSS injection runs attacker JavaScript in another user's browser session, enabling session/token theft, account takeover, keylogging, or unauthorized actions performed as that user. AI assistants frequently reach for innerHTML, dangerouslySetInnerHTML, or string-concatenated HTML because it is the shortest path to the desired rendering, without adding sanitization or switching to a safe sink. Relying only on a Content-Security-Policy header is not sufficient: CSP support and enforcement vary by browser, misconfiguration is common, and it does not address DOM-based XSS that never touches the network. | ✓A missing CSRF defense lets a malicious page perform state-changing actions as a logged-in user — transferring funds, changing email or password, or deleting data — using the victim's ambient cookies. AI assistants often generate handlers that work in tests yet omit token validation or perform state changes on GET, because the happy path succeeds without any forged cross-site request. Relying on SameSite cookies alone is not sufficient: defaults vary, Lax still allows top-level GET navigations, and some clients or legacy browsers do not enforce it. | ✓A missing object-level authorization check lets any authenticated (or sometimes unauthenticated) user read, modify, or delete another user's data by changing an identifier in the request — accounts, documents, orders, invoices, and support tickets are common targets. AI assistants often generate a correct-looking handler for the current user's own data and skip the cross-user check entirely, because the happy-path test only ever exercises the requester's own objects. Switching to random/UUID identifiers reduces guessability but is not an authorization control; do not accept it as a substitute for a server-side ownership or permission check. | ✓Deserializing untrusted data with a native format's full-featured API (pickle, unsafe YAML, Java Serializable, PHP unserialize) can cause denial-of-service or remote code execution — the vulnerability triggers during deserializing itself, before any application logic runs on the result. AI assistants often reach for the most convenient deserialization call (pickle for Python object graphs, yaml.load for config-like YAML, ObjectInputStream for Java) without checking whether the input is trusted, since developer-controlled test data works regardless of which API is used. An integrity check (signature/MAC) added after deserialization already ran does not help — the attack happens during deserialization, so the check must gate the deserialization call itself, not just the object it produces. |
| Privacy notes | ✓XSS proof-of-concept payloads and captured DOM/session state can include real session tokens, cookies, or personal data; use synthetic accounts and redact captures before pasting them into a PR or issue. Sanitizer configuration (allowed tags/attributes) can itself leak intent about what user-generated content the product stores; avoid documenting real user content samples in public review threads. Third-party scripts and widgets execute with the same DOM access as first-party code; disclose any new third-party script include as part of the change under review. | ✓CSRF tokens are security credentials; do not paste real tokens, session cookies, or production request captures into public PR comments or issues. Use synthetic accounts and redacted requests when demonstrating a CSRF proof of concept, and avoid attaching real user identifiers. Be careful that anti-CSRF tokens are not written into URLs, analytics, or logs, where they can leak through referer headers or shared dashboards. | ✓IDOR proof-of-concept testing can expose another account's real data; use synthetic test accounts and synthetic objects rather than real user records when demonstrating the issue. Do not paste real user identifiers, documents, or other objects retrieved during testing into a public PR or issue; redact or replace them with placeholders. Server-side logs and error messages for a denied access attempt should avoid echoing back the unauthorized object's contents, only that access was denied. | ✓Deserialization proof-of-concept payloads (e.g. a crafted pickle or Java serialized stream) can trigger real code execution in a test environment; run them only in an isolated, disposable sandbox, never against a shared or production system. Do not commit real crafted exploit payloads, credentials, or internal class/package names discovered while testing into a public PR or issue; describe the vulnerable pattern instead of attaching a working exploit. |
| Prerequisites |
|
|
|
|
| Install | — | — | — | — |
| Config | — | — | — | — |
| Citations | ||||
| Claim | Unclaimed | Unclaimed | Unclaimed | Unclaimed |
Source-backed guides for putting this to work.
Review AI-generated pull requests with repeatable security, test, and evidence checks.
Loading live community signals…
A short, calm digest of reviewed Claude resources. Unsubscribe any time.