OWASP Periodic Table of Vulnerabilities - Cross-Site Scripting (XSS) - DOM-Based

Root Cause Summary
The root cause of DOM based XSS is allowing the DOM on the victim’s browser (client-side scripts such as JavaScript) to be manipulated or modified enabling an attacker to run JavaScript in the victim's browser. This differs from traditional cross-site scripting which occurs on the server-side code.

Browser / Standards Solution
None

Perimeter Solution
None

Generic Framework Solution
"Web 2.0" frameworks must expose an API for page creation/modification that does not use document.write/ln or allow dynamic data to be injected into innerHTML or similar DOM element attributes.

Custom Framework Solution
None

Custom Code Solution
None

Discussion / Controversy
Sometimes referred to as “type-0 XSS”