DOM-XSS is mitigation is hampered by a lack of standardization of browsers and a large attack surface.
Reducing the threat:
The most common way to reduce is with encoding/escaping of string input. The code reviewer talk with development staff to see if any frameworks were used to help eliminated common XSS vulnerabilities.
- OWASP ESAPI (Java)
- ValidateRequest (ASP.NET)
- Anti-XSS library (ASP.NET)
- AntiSamy (Java)
- strip_tags, sanitize (Ruby on Rails)
- Django template escaping (Python Django)
- Coverity Security Library (Java)
- xss validator (Node.js)
- HTML Purifier
- Google Gaja
As with standard XSS the code reviewer should always pay attention to the following bullet points….
- How the programmer is validating input data. Not validating data is the root of all evil.
- Making sure data is escaped when the script writes out the page.
- Element's .innerHTML() and .outerHTML() methods.
- Using user data in jQuery's element creation.
- jQuery's append.
- Using user data in strings that generate CSS.
Microsoft ASPX .Net
- On ASPX .Net pages code review should check to make sure web config file does not turn off page validation. <pages validateRequest="false" />
- .Net framework 4.0 does not allow page validation to be turned off. Hence if the programmer wants to turn of page validation the developer will need to regress back to 2.0 validation mode. <httpRuntime requestValidationMode="2.0" />
- Code reviewer needs to make sure page validation is never turned off on anywhere and if it is understand why and the risks it opens the organization to. <%@ Page Language=”C#” ValidationRequest=”false”
OWASP DOM BASED XSS 
OWASP DOM BASED Cheat Sheet [www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet]