Remediation Steps

Follow the steps below to remediate this finding on Generic / Developer guidance.

1. DOM-based XSS occurs when JavaScript reads untrusted data (URL fragments, query strings, localStorage) and writes it to the DOM without sanitisation.

2. Remediation steps:

   • Never pass unsanitised data to innerHTML, document.write(), or eval().
   • Use textContent instead of innerHTML when setting text.
   • Validate and encode any data read from location.hash, location.search, or postMessage events before using it in the DOM.
   • Use a trusted library such as DOMPurify to sanitise HTML before injecting it:

3. element.innerHTML = DOMPurify.sanitize(untrustedHTML);