DOM XSS
If a user can control the executed code or HTML, a malicious user can send a crafted URL to a victim and control the executed code.
Vulnerable code examples
eval(document.querySelector('input[name="expression"]').value);
const firstName = document.querySelector('input[name="firstName"]').value;
document.querySelector('.wt-first-name').innerHTML = firstName;
ECMAScript Template String
ECMAScript template strings should not be used for HTML templating.
element.innerHTML = `<div>Hi, ${firstName}</div>`;
Where firstName
might be controlled by a malicious user.
Except the application's code, every external source should be considered harmful.
User your frameworks escaping features.
Last updated