When a jQuery plugin allows user-supplied input to be interpreted as HTML or used in dynamic HTML construction without proper sanitization, it can lead to a Cross-Site Scripting (XSS) vulnerability.

A common example is when a plugin accepts options (such as selectors or content) and directly passes them to JQuery methods such as jQuery() (often aliased as $()) or .html(). If options are not sanitized, malicious input can result in a classical DOM-based XSS vulnerability.

This detector looks for JQuery plugins that accept user-supplied input and directly pass it to JQuery methods that could interpret the input as HTML.

A typical unsafe pattern flagged by this rule might look like:

options.sourceSelector is not properly sanitized before being passed to jQuery(options.sourceSelector). If the plugin is called with options depending on external input, an attacker may pass malicious input as HTML with JavaScript handlers to launch a XSS attack. For example:

The plugin should use methods that do not interpret input as HTML, such as jQuery.find, which always treats the argument as a CSS selector:

Alternatively, the plugin can validate that the options field used matches a given pattern via regular expression test.

Best practices for developing JQuery plugins include:

This detector does not have any configurable parameters.