CodeIntelligenceTesting
diff --git a/‎packages/bug-detectors/internal/xss.instrumentation.test.ts‎
Lines changed: 206 additions & 0 deletions b/‎packages/bug-detectors/internal/xss.instrumentation.test.ts‎
Lines changed: 206 additions & 0 deletions
diff --git a/‎packages/bug-detectors/internal/xss.test.ts‎
Lines changed: 18 additions & 0 deletions b/‎packages/bug-detectors/internal/xss.test.ts‎
Lines changed: 18 additions & 0 deletions
@@ -0,0 +1,206 @@
+/*
+ * Copyright 2026 Code Intelligence GmbH
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+import {
+	instrumentAndEvalWith,
+	instrumentWith,
+} from "../../instrumentor/plugins/testhelpers";
+
+globalThis.JazzerJS = new Map();
+
+const { xssDomSinkInstrumentationPlugin } =
+	require("./xss") as typeof import("./xss");
+
+const expectInstrumentation = instrumentWith(xssDomSinkInstrumentationPlugin());
+const expectInstrumentationAndEval = instrumentAndEvalWith(
+	xssDomSinkInstrumentationPlugin(),
+);
+
+describe("XSS DOM sink instrumentation", () => {
+	beforeEach(() => {
+		globalThis.XSSDetector = {
+			analyzeHtmlForXss: jest.fn(),
+			reportDomSinkArgsIfNeeded: jest.fn((values) => values),
+			reportDomSinkIfNeeded: jest.fn((value) => value),
+		};
+	});
+
+	it("wraps innerHTML assignments once and preserves assignment semantics", () => {
+		const input = `
+		|let calls = 0
+		|const element = { innerHTML: "" }
+		|function payload() {
+		|  calls++
+		|  return '<img src=x onerror="jaz_zer_xss">'
+		|}
+		|const result = element.innerHTML = payload();
+		|({ result, calls })`;
+		const output = `
+		|let calls = 0;
+		|const element = {
+		|  innerHTML: ""
+		|};
+		|function payload() {
+		|  calls++;
+		|  return '<img src=x onerror="jaz_zer_xss">';
+		|}
+		|const result = (_jazzerXssTmp => {
+		|  globalThis.XSSDetector.reportDomSinkIfNeeded(_jazzerXssTmp, "innerHTML");
+		|  return _jazzerXssTmp;
+		|})(element.innerHTML = payload());
+		|({
+		|  result,
+		|  calls
+		|});`;
+
+		const result = expectInstrumentationAndEval<{
+			result: string;
+			calls: number;
+		}>(input, output);
+		expect(result).toEqual({
+			calls: 1,
+			result: '<img src=x onerror="jaz_zer_xss">',
+		});
+		expect(globalThis.XSSDetector.reportDomSinkIfNeeded).toHaveBeenCalledWith(
+			'<img src=x onerror="jaz_zer_xss">',
+			"innerHTML",
+		);
+	});
+
+	it("wraps insertAdjacentHTML and preserves call results", () => {
+		const input = `
+		|let calls = 0
+		|const element = {
+		|  insertAdjacentHTML(position, html) {
+		|    calls++
+		|    return position + html
+		|  }
+		|}
+		|const result = element.insertAdjacentHTML("beforeend", "<script>jaz_zer_xss</script>");
+		|({ result, calls })`;
+		const output = `
+		|let calls = 0;
+		|const element = {
+		|  insertAdjacentHTML(position, html) {
+		|    calls++;
+		|    return position + html;
+		|  }
+		|};
+		|const result = element.insertAdjacentHTML("beforeend", globalThis.XSSDetector.reportDomSinkIfNeeded("<script>jaz_zer_xss</script>", "insertAdjacentHTML"));
+		|({
+		|  result,
+		|  calls
+		|});`;
+
+		const result = expectInstrumentationAndEval<{
+			result: string;
+			calls: number;
+		}>(input, output);
+		expect(result).toEqual({
+			calls: 1,
+			result: "beforeend<script>jaz_zer_xss</script>",
+		});
+	});
+
+	it("wraps document.write arguments once", () => {
+		const input = `
+		|let calls = 0
+		|const document = {
+		|  writes: [],
+		|  write(...args) {
+		|    this.writes.push(args.join(""))
+		|    return args.length
+		|  }
+		|}
+		|function payload() {
+		|  calls++
+		|  return "<script>jaz_zer_xss</script>"
+		|}
+		|const result = document.write(payload(), "!", payload());
+		|({ result, calls, writes: document.writes })`;
+		const output = `
+		|let calls = 0;
+		|const document = {
+		|  writes: [],
+		|  write(...args) {
+		|    this.writes.push(args.join(""));
+		|    return args.length;
+		|  }
+		|};
+		|function payload() {
+		|  calls++;
+		|  return "<script>jaz_zer_xss</script>";
+		|}
+		|const result = document.write(...globalThis.XSSDetector.reportDomSinkArgsIfNeeded([payload(), "!", payload()], "document.write"));
+		|({
+		|  result,
+		|  calls,
+		|  writes: document.writes
+		|});`;
+		const result = expectInstrumentationAndEval<{
+			calls: number;
+			result: number;
+			writes: string[];
+		}>(input, output);
+		expect(result.calls).toBe(2);
+		expect(result.result).toBe(3);
+		expect(result.writes).toEqual([
+			"<script>jaz_zer_xss</script>!<script>jaz_zer_xss</script>",
+		]);
+		expect(
+			globalThis.XSSDetector.reportDomSinkArgsIfNeeded,
+		).toHaveBeenCalledTimes(1);
+	});
+
+	it("wraps dangerouslySetInnerHTML independent of the factory name", () => {
+		const input = `
+		|const n = (_tag, props) => props
+		|const payload = '<img src=x onerror="jaz_zer_xss">';
+		|n("div", { dangerouslySetInnerHTML: { __html: payload } });`;
+		const output = `
+		|const n = (_tag, props) => props;
+		|const payload = '<img src=x onerror="jaz_zer_xss">';
+		|n("div", {
+		|  dangerouslySetInnerHTML: {
+		|    __html: globalThis.XSSDetector.reportDomSinkIfNeeded(payload, "dangerouslySetInnerHTML")
+		|  }
+		|});`;
+
+		expectInstrumentation(input, output);
+	});
+
+	it("fast-exits on unrelated assignments and object properties", () => {
+		const input = `
+		|const node = { textContent: "", innerText: "" }
+		|node.textContent = "safe";
+		|node.innerText = "safe";
+		|({ dangerouslySetInnerHtml: { __html: "safe" } });`;
+		const output = `
+		|const node = {
+		|  textContent: "",
+		|  innerText: ""
+		|};
+		|node.textContent = "safe";
+		|node.innerText = "safe";
+		|({
+		|  dangerouslySetInnerHtml: {
+		|    __html: "safe"
+		|  }
+		|});`;
+
+		expectInstrumentation(input, output);
+	});
+});
@@ -63,6 +63,24 @@ describe("XSS detector", () => {
 				),
 			).toBeUndefined();
 		});
+
+		it("detects outerHTML fragments with active attributes", () => {
+			expect(analyzeHtmlForXss('<div onmouseover="jaz_zer_xss"></div>')).toBe(
+				"event handler attribute onmouseover",
+			);
+		});
+
+		it("detects insertAdjacentHTML fragments with executable script", () => {
+			expect(
+				analyzeHtmlForXss("<section><script>jaz_zer_xss</script></section>"),
+			).toBe("script element");
+		});
+
+		it("detects document.write fragments with javascript URLs", () => {
+			expect(analyzeHtmlForXss('<a href="javascript:jaz_zer_xss">x</a>')).toBe(
+				"javascript URL attribute href",
+			);
+		});
 	});
 
 	describe("response sink handling", () => {