JSX React
Also, in our JavaScript support, we had partial support for React. Now, this support is extended with JSX technology.
JSX, or JavaScript XML, is an XML-like syntax extension to ECMAScript part of the React library. The complete specification can be checked at Draft: JSX Specification.
The following elements have been identified as potential security flaws and detected by the existing JS rules:
dangerouslySetInnerHTML attribute acts as the entrance door to perform an XSS attack (See dangerouslySetInnerHTML).
Server-side rendering attacker-controlled initial state XSS in React apps using Redux.
XSS in explicit calls to React.createElement(...) with untrusted props or children (See Avoiding XSS in React is Still Hard).
Attribute injection also leads to XSS.
In React, the HTML code is embedded into the JS code, so the HTML code must be checked to mark sources, sinks, or neutralization (For example: <input> elements).
Also, the embedded HTML code is analyzed by Kiuwan with the rules from the HTML technology. The following existing checks might be applied:
OPT.HTML.AutocompleteOnForSensitiveFields.
OPT.HTML.MissingPasswordFieldMasking.
OPT.HTML.TargetBlankVulnerability.
OPT.HTML.SandboxAllowScriptsAndSameOrigin.
OPT.HTML.SpecifyIntegrityAttribute.