XSS via the DOM

The JavaScript utility functions used on this page, in particular the URLSearchParams interface, might not work in all browsers: see the list of browsers that support it.

Go to this webpage with a parameter name in the URL, e.g.
http://www.cs.ru.nl/~erikpoll/websec/demo/xss_via_DOM.html?name=John.

The fragment of HTML below uses JavaScript in combination with the DOM to retrieve the parameter name from the URL to include include it in the content of the page. If you change the value of the parameter name, say from 'John' to 'Maria', the webpage show change.


Hello ! Welcome to this webpage.


You can now try to inject HTML mark-up tags, or even scripts, in the parameter name. For instance, try the links below:

Some things you can try:


Note that the DOM-based cross-site scripting on this page is no threat to our web server: you are simply injecting JavaScript that you are running client-side in your own browser. The script is sent to the server, but the server does nothing with it: the server just returns a fixed HTML page, and it is only when your browser renders this page, and executes the JavaScript inside, that the payload in the name parameter 'denotates'.
A typical XXS injection via the DOM will not be so simple as on this page. There may be many places where an attacker could try to insert malicious input. Here it is done via URL parameters, but it could be done via any input field to the web application.

If inputs supplied by attacker are passed back and forth between client and server, they may end up being being HTML- or ULR-decoded, which may prevent them from triggering as scripts. In fact, for this page, the name parameter in the URL is URL-encoded. Normally this would prevent it from being executable JavaScript, as <script> URL-encodes to %3Cscript%3E. However, the JavaScript library function we use to retrieve the parameter values -- the function get of the class URLSearchParams -- is kind enough to automatically URL-decode data for us ;-)

If the JavaScript inside this webpage would URL- or HTML-encode parameters before inserting them in the HTML then a simple DOM-based XSS is no longer possible. For instance, the URL-encoded name in the current URL is .