DOM innerHTML sink
Check whether untrusted values from location, hash, postMessage, and similar sources reach unsafe sinks such as innerHTML.
DOM sink check
This scenario tests how user input is rendered into HTML / DOM, not iframe sandbox behavior.
- Verify whether untrusted sources reach innerHTML, outerHTML, or insertAdjacentHTML
- Check whether rendering can be replaced with textContent or DOM APIs
- Validate client router, hash, and postMessage payloads before writing to a sink
Payload
Payload to copy
Checks whether event handlers execute when inserted through innerHTML.
Preview
The preview intentionally performs unsafe rendering for learning. In a real service, this payload should be escaped as text or removed.
Log
// no logs
Explanation
- DOM-based XSS can happen even when the server response is safe. The client code itself passes an untrusted source into an unsafe sink.
- Typical sources are
location.search,location.hash,postMessage, and storage values. Typical sinks areinnerHTML,outerHTML, andinsertAdjacentHTML. - Render via
textContentor DOM APIs whenever possible, and route real HTML only through a trusted HTML filter.