DOM Sink/Source Analyzer
Scan JavaScript code for dangerous DOM sinks and untrusted sources. Visualize data flows and get remediation advice for DOM-based XSS vulnerabilities.
What is DOM-based XSS?
DOM-based XSS occurs when untrusted data from sources (like URL parameters, localStorage, or postMessage) flows into dangerous sinks (like innerHTML, eval, or location.href) without proper validation or sanitization.
Why it matters: Unlike reflected or stored XSS, DOM XSS happens entirely in the browser, making it harder to detect with traditional server-side security tools. This analyzer helps you find these vulnerabilities before they reach production.
Analyze Code for DOM XSS
0 characters
Framework Security Best Practices
React
✓ Safe Practices:
- •Use JSX text interpolation {userInput} for text
- •React auto-escapes text content
- •Avoid dangerouslySetInnerHTML unless absolutely necessary
- •Use DOMPurify if you must render user HTML
- •Validate URLs before using in href or src
✗ Avoid:
dangerouslySetInnerHTMLVue
✓ Safe Practices:
- •Use text interpolation {{ userInput }} for text
- •Vue auto-escapes text content
- •Avoid v-html unless absolutely necessary
- •Use DOMPurify if you must render user HTML
- •Validate URLs before using in v-bind:href
✗ Avoid:
v-htmlAngular
✓ Safe Practices:
- •Use text interpolation {{ userInput }} for text
- •Angular auto-sanitizes by default
- •Avoid bypassSecurityTrust* methods
- •Use DomSanitizer only when necessary
- •Trust Angular sanitization for most cases
✗ Avoid:
[innerHTML]bypassSecurityTrustHtmlbypassSecurityTrustScriptVanilla JavaScript
✓ Safe Practices:
- •Use textContent for text, not innerHTML
- •Create elements with createElement
- •Use addEventListener for events, not inline handlers
- •Validate and sanitize all user input
- •Use DOMPurify for any HTML rendering
✗ Avoid:
innerHTMLouterHTMLevaldocument.write