Cross-site scripting (XSS) from URL data in document.write in browser

High Risk cross-site-scripting
javascriptbrowserdomdocument.writexssclient-side

What it is

DOM-based XSS vulnerability in browser JavaScript where untrusted URL components are inserted into the page using document.write without HTML encoding or validation, enabling attackers to inject and execute malicious scripts in the victim's browser context.

ℹī¸ Configuration Fix

Configuration changes required - see explanation below.

💡 Explanation

ℹī¸ Configuration Fix

Configuration changes required - see explanation below.

💡 Explanation

Why it happens

URL components like query parameters or hash fragments are directly inserted into document.write.

Root causes

URL Parameter Injection

URL components like query parameters or hash fragments are directly inserted into document.write.

Lack of Input Validation

URL data is used without proper validation, sanitization, or encoding before DOM insertion.

Fixes

1

Avoid document.write for Dynamic Content

Use safer DOM manipulation methods instead of document.write for inserting dynamic content.

2

Validate and Sanitize URL Parameters

Parse URLSearchParams properly, validate against allowlists, and encode before any DOM insertion.

3

Use DOMPurify for HTML Sanitization

If HTML rendering is required, sanitize content with a vetted library like DOMPurify.

Detect This Vulnerability in Your Code

Sourcery automatically identifies cross-site scripting (xss) from url data in document.write in browser and many other security issues in your codebase.

Scan Your Code for Free Explore More Vulnerabilities