DOM XSS occurs when untrusted input is read from a client-side source (e.g., `document.location`, `document.referrer`, `window.name`, or query parameters) and is directly written into a dangerous sink in the DOM without proper sanitisation or encoding. Unlike reflected or stored XSS, DOM XSS vulnerabilities are triggered entirely in the browser by client-side JavaScript logic. An adversary can craft malicious URLs or payloads that, when loaded in a victim’s browser, execute arbitrary JavaScript with the privileges of the vulnerable web page.

Remediation

• Avoid unsafe sinks such as `innerHTML`, `outerHTML`, `document.write`, `eval`, and `setTimeout` with untrusted input.
• Use a well-vetted frontend framework (e.g., React, Angular, Vue) that automatically applies context-aware escaping and DOM sanitisation.
• Apply context-aware output encoding (HTML, URL, JavaScript, CSS) before inserting untrusted values into the DOM.
• Implement strict Content Security Policy (CSP) to limit the impact of injected scripts.
• Where direct DOM manipulation is necessary, use safe alternatives like `textContent` or `setAttribute`.
• Validate and sanitise URL parameters and other client-side data sources before processing them in the DOM.