DOM-based XSS attacks have all the risks associated with the other types of XSS attack, with the added bonus that they are impossible to detect from the server side. Any page that uses URI fragments is potentially at risk from XSS attacks.

Frameworks like Ember, AngularJS and React use templates that makes construction of ad-hoc HTML an explicit (and rare) action. This will push your development team towards best practices, and make unsafe operations easier to detect.

Sometimes a full JavaScript framework is too heavyweight for your site. In that case, you will need to regularly conduct code reviews to spot locations that reference window.location.hash. Consider coming up with agreed coding standards on how URI fragments are to be written and interpreted, and centralize this logic in a core library.

If you use JQuery, carefully check any code that uses the html(...) function. If you are constructing raw HTML on the client-side on the back of untrusted input, you may have a problem, whether the input comes from a URI fragment or not. Use the text(...) function whenever possible.

If you are using direct the native DOM APIs, avoid using the following properties and functions:

innerHTML outerHTML document.write Instead, set text content within tags wherever possible:

innerText textContent Parse JSON Carefully Do not evaluate JSON to convert it to native JavaScript objects - for example, by using the eval(...) function. Instead use JSON.parse(...).

Google has released a Chrome plug-in that can identify insecure practices commonly found in client-side code.

Don’t Use URI Fragments At All! The most secure code is the code that isn’t there. If you don’t need to use URI fragments, then don’t! Write a unit test to scan your JavaScript for mentions of window.location.hash, and have it fail if the pattern is found. When there is a need to use URI fragments, then you can discuss how to ensure their safe use.

Modern browsers support Content-Security Policies that allow the author of a web-page to control where JavaScript (and other resources) can be loaded and executed from. XSS attacks rely on the attacker being able to run malicious scripts on a user’s web page - either by injecting inline <script> tags somewhere within the tag of a page, or by tricking the browser into loading the JavaScript from a malicious third-party domain.

By setting a content security policy in the response header, you can tell the browser to never execute inline JavaScript, and to lock down which domains can host JavaScript for a page:

Content-Security-Policy: script-src 'self' https://apis.google.com By whitelisting the URIs from which scripts can be loaded, you are implicitly stating that inline JavaScript is not allowed. The content security policy can also be set in a tag in the

element of the page:

<meta http-equiv=""Content-Security-Policy"" content=""script-src 'self' https://apis.google.com""> This approach will protect your users very effectively! However, it may take a considerable amount of discipline to make your site ready for such a header. Inline scripts tags are considered bad practice in modern web-development - mixing content and code makes web-applications difficult to maintain - but are common in older, legacy sites.

To migrate away from inline scripts incrementally, consider makings use of CSP Violation Reports. By adding a report-uri directive in your policy header, the browser will notify you of any policy violations, rather than preventing inline JavaScript from executing:

Content-Security-Policy-Report-Only: script-src 'self'; report-uri http://example.com/csr-reports This will give you reassurance that there are no lingering inline scripts, before you ban them outright."