Identify "href" (i.e., free "javascript:" XSS) and dangerouslySetInnerHtml usages in ReactJS SPAs.

hrefs.py

import re
import sys

VULNERABLE_HREF = r'href: [^"].+[^\s]?'
DANGEROUSLY_SET_INNER_HTML = r'__html: .+[^\s]?'
STATE_VALUES = r'\.setState\({([\s\S]*?)}\)'

#false_positives = ("this.props.team.", "constants.")

def find_state_candidates(name, states):
        candidates = []

        for state in states:
            for param in state.split('\n'):
                param = param.rstrip(',;').strip()
                if param.split(':')[0] == name:
                    candidates.append(param.split(':')[1].strip())

        return candidates

if __name__ == '__main__':
    if len(sys.argv) != 2:
        print("Usage: %s beautified.js" % sys.argv[0])
        sys.exit()

    with open(sys.argv[1], 'r', errors="ignore") as f:
        content = f.read()
  
    matches = re.findall(VULNERABLE_HREF, content) + re.findall(DANGEROUSLY_SET_INNER_HTML, content)
    states = re.findall(STATE_VALUES, content, flags=re.MULTILINE)

    matches = [re.sub(' +', ' ', match).strip() for match in matches]
    states = [re.sub(' +', ' ', state).strip() for state in states]

    for match in matches:
        value = match.split(' ')[1]
#        if not value.startswith(false_positives):
        if value.startswith('this.state.'):
            print("%s (%s)" % (match, find_state_candidates(value.split('.')[2], states)))
        else:
            print(match)