Fixing DOM-Based XSS
Author: HollyGraceful Published: 25 October 2020
Whilst Reflected and Stored XSS can generally be addressed through server-side user input encoding (such as through the PHP htmlentities() function) or with browser protections such as Content-Security-Policy – this is not sufficient for DOM-XSS.
Furthermore, dangerous functions such as eval() should be entirely avoided. The Mozilla Developer Network describes eval() as “an enormous security risk”. Their page has an entire section titled “Never use eval()!”