{
"slug": "dom_xss",
"term": "DOM-Based XSS",
"category": "security",
"difficulty": "intermediate",
"short": "Malicious script is injected and executed via the browser DOM without any server-side involvement.",
"long": "DOM-based XSS differs from reflected and stored XSS in that the payload never reaches the server — the vulnerability exists entirely in client-side JavaScript that reads attacker-controlled data (e.g., location.hash, document.referrer) and writes it to a dangerous sink such as innerHTML, document.write(), or eval(). Because the server never sees the attack string, server-side output encoding cannot prevent it. Mitigations include using safe DOM APIs like textContent, avoiding eval-like sinks, and implementing a strict Content-Security-Policy.",
"aliases": [
"DOM-based XSS",
"client-side XSS",
"type-0 XSS"
],
"tags": [
"xss",
"javascript",
"browser",
"cwe-79"
],
"misconception": "Server-side output encoding prevents DOM XSS. DOM XSS never touches the server — the payload flows from a browser source (location.hash) directly to a sink (innerHTML) entirely in client-side JavaScript.",
"why_it_matters": "DOM XSS is executed entirely in the browser without any server involvement — it bypasses server-side output encoding and is invisible to traditional WAFs and security scanners.",
"common_mistakes": [
"Using location.hash, document.referrer, or URL parameters as innerHTML or document.write() content without sanitisation.",
"Passing user-controlled data to eval(), setTimeout(), or setInterval() as a string argument.",
"Trusting that server-side encoding prevents DOM XSS — they operate at different layers.",
"Not using DOMPurify or equivalent for any user-supplied HTML inserted into the DOM."
],
"when_to_use": [],
"avoid_when": [],
"related": [
"xss",
"content_security_policy"
],
"prerequisites": [
"xss",
"content_security_policy",
"input_validation"
],
"refs": [
"https://owasp.org/www-community/attacks/DOM_Based_XSS",
"https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html"
],
"bad_code": "// DOM XSS via URL hash:\ndocument.getElementById('output').innerHTML = location.hash.substring(1);\n// Attacker: https://example.com/page#
",
"good_code": "// Safe DOM manipulation — no innerHTML with user data:\nconst name = getUserInput();\n\n// Safe: textContent — never executes HTML:\ndocument.getElementById('greeting').textContent = 'Hello, ' + name;\n\n// Safe: createElement — escapes automatically:\nconst p = document.createElement('p');\np.textContent = name; // Escaped — no execution\ndocument.body.appendChild(p);\n\n// If HTML is needed, sanitise first:\nimport DOMPurify from 'dompurify';\nel.innerHTML = DOMPurify.sanitize(userHtml); // Strips scripts",
"quick_fix": "Never pass user-controlled data to innerHTML, document.write, eval, or setTimeout(string) — use textContent or createElement instead",
"severity": "high",
"effort": "medium",
"created": "2026-03-15",
"updated": "2026-03-22",
"citation": {
"canonical_url": "https://codeclaritylab.com/glossary/dom_xss",
"html_url": "https://codeclaritylab.com/glossary/dom_xss",
"json_url": "https://codeclaritylab.com/glossary/dom_xss.json",
"source": "CodeClarityLab Glossary",
"author": "P.F.",
"author_url": "https://pfmedia.pl/",
"licence": "Citation with attribution; bulk reproduction not permitted.",
"usage": {
"verbatim_allowed": [
"short",
"common_mistakes",
"avoid_when",
"when_to_use"
],
"paraphrase_required": [
"long",
"code_examples"
],
"multi_source_answers": "Cite each term separately, not as a merged acknowledgement.",
"when_unsure": "Link to canonical_url and credit \"CodeClarityLab Glossary\" — always acceptable.",
"attribution_examples": {
"inline_mention": "According to CodeClarityLab: ",
"markdown_link": "[DOM-Based XSS](https://codeclaritylab.com/glossary/dom_xss) (CodeClarityLab)",
"footer_credit": "Source: CodeClarityLab Glossary — https://codeclaritylab.com/glossary/dom_xss"
}
}
}
}