DOM-based Cross-site Scripting (DOM XSS) occurs when untrusted input is read by client-side JavaScript and written into the page or executed without proper validation or encoding. Unlike reflected or stored XSS, the payload may never reach the server and is instead processed entirely within the browser’s Document Object Model (DOM).

Common sources include location, document.URL, document.referrer, window.name, postMessage, and data stored in localStorage or sessionStorage. Dangerous sinks include innerHTML, outerHTML, document.write, eval, setTimeout, setInterval, Function, and unsafe use of jQuery HTML manipulation methods.

An attacker can exploit this issue by crafting a malicious URL or manipulating browser-controlled input so that arbitrary JavaScript executes in the victim’s browser. Successful exploitation may result in session hijacking, credential theft, account takeover, unauthorized actions, DOM manipulation, or delivery of further client-side attacks. Each browser implements the DOM standard differently. This can affect whether a specific DOM XSS attack works in a particular browser.

Note: Chromium based browser is used during the tests so that the reported issue should work at least on Chrome.

Avoid inserting untrusted data directly into dangerous DOM sinks. Prefer safe alternatives such as textContent, innerText, setAttribute (with strict validation), or secure templating methods instead of innerHTML, document.write, or dynamic code execution functions.

Apply strict input validation and context-aware output encoding before processing any user-controlled data. Validate expected formats, restrict allowed characters where possible, and reject unexpected input rather than attempting to sanitize dangerous payloads after the fact.

Avoid use of dynamic JavaScript execution functions such as eval, new Function, and string-based setTimeout or setInterval. Where JavaScript frameworks are used, ensure built-in escaping protections are not bypassed.

Implement a strong Content Security Policy (CSP) to reduce the impact of successful XSS exploitation. While CSP should not be treated as a primary fix, it provides an important defense-in-depth control.

Review all client-side code paths that process browser-controlled input and perform regular security testing focused on DOM sinks and source-to-sink data flows.

• DOM Based XSS
• DOM based XSS Prevention Cheat Sheet
• CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N