Fixing DOM-Based XSS
Published: 25 October 2020
Whilst Reflected and Stored XSS can generally be addressed through server-side user input encoding (such as through the PHP htmlentities() function) or with browser protections such as Content-Security-Policy – this is not sufficient for DOM-XSS.
Where a dangerous function is used, user input into that function should be limited through user input filtering. An allow-list approach of restricting user input to only known-good input should be used. For example, limiting input to the smallest number of characters possible (such as alphanumerics only) and checking the expected data type (such as limiting input to integers only).
Furthermore, dangerous functions such as eval() should be entirely avoided. The Mozilla Developer Network describes eval() as “an enormous security risk”. Their page has an entire section titled “Never use eval()!”