OWASP Periodic Table of Vulnerabilities - Cross-Site Scripting (XSS) - DOM-Based
Cross-Site Scripting (XSS) - DOM-Based
Root Cause Summary
Browser / Standards Solution
Generic Framework Solution
"Web 2.0" frameworks must expose an API for page creation/modification that does not use document.write/ln or allow dynamic data to be injected into innerHTML or similar DOM element attributes. Dynamic data must be written to the DOM by using createTextNode, which does not introduce the danger of interpreting user data as functional code.
Custom Framework Solution
Custom Code Solution
Discussion / Controversy
DOM-Based Cross-Site Scripting is Sometimes referred to as “Type-0 XSS”.