If a user can control the executed code or HTML, a malicious user can send a crafted URL to a victim and control the executed code.

Vulnerable code examples

eval(document.querySelector('input[name="expression"]').value);

const firstName = document.querySelector('input[name="firstName"]').value;
document.querySelector('.wt-first-name').innerHTML = firstName;

ECMAScript Template String

ECMAScript template strings should not be used for HTML templating.

element.innerHTML = `<div>Hi, ${firstName}</div>`;

Where firstName might be controlled by a malicious user.