DOM XSS occurs when untrusted input is read from a client-side source (e.g., document.location, document.referrer, window.name, or query parameters) and is directly written into a dangerous sink in the DOM without proper sanitisation or encoding. Unlike reflected or stored XSS, DOM XSS vulnerabilities are triggered entirely in the browser by client-side JavaScript logic. An adversary can craft malicious URLs or payloads that, when loaded in a victim’s browser, execute arbitrary JavaScript with the privileges of the vulnerable web page.

Remediation

• Avoid unsafe sinks such as innerHTML, outerHTML, document.write, eval, and setTimeout with untrusted input.
• Use a well-vetted frontend framework (e.g., React, Angular, Vue) that automatically applies context-aware escaping and DOM sanitisation.
• Apply context-aware output encoding (HTML, URL, JavaScript, CSS) before inserting untrusted values into the DOM.
• Implement strict Content Security Policy (CSP) to limit the impact of injected scripts.
• Where direct DOM manipulation is necessary, use safe alternatives like textContent or setAttribute.
• Validate and sanitise URL parameters and other client-side data sources before processing them in the DOM.