Advanced DOM XSS Patterns Every Developer Should Know

If you're serious about finding DOM XSS in modern applications, you need to move beyond “search for innerHTML” and start thinking like a data-flow analyst. 1. Indirect Object Property Injection let key = location . hash . substring ( 1 ); let obj = { content : key }; document . body . innerHTML = obj . content ; Payload: # <img src= x onerror= alert(1) > Why it works: The input is hidden inside an object, making it easy to miss. How to think: Track data even when it's wrapped in objects. Fix: document . body . textContent = obj . content ; 2. Array Join Injection let parts = [ location . hash , " world " ]; document . body . innerHTML = parts . join ( "" ); Payload: # <svg / onload= alert(1) > Why it works: Array operations don’t sanitize input. Fix: document . body . textContent = parts . join ( "" ); 3. replace() Callback Injection let result = location . hash . replace ( /x/g , () => ' <img src=x onerror=alert(1)> ' ); document . body . innerHTML = result ; Payload: #xxx Why it work