XSS

Attack

<sCRipT>alert()</scRipt>


Vectors

If you can control the href tag of an anchor (<a> element). You can try to set the href value to javascript:alert().

Lists :

DOM XSS

The following are some of the main sinks that can lead to DOM-XSS vulnerabilities:

document.write()
document.writeln()
document.domain
element.innerHTML
element.outerHTML
element.onevent


The following jQuery functions are also sinks that can lead to DOM-XSS vulnerabilities:

add()
after()
append()
animate()
insertAfter()
insertBefore()
before()
html()
prepend()
replaceAll()
replaceWith()
wrap()
wrapInner()
wrapAll()
has()
constructor()
init()
index()
jQuery.parseHTML()
\$.parseHTML()


Source portswigger.net.

Bypass

Replace function

The replace function only replace the first occurence.

> "<img src=x onerror='alert()'>".replace("<", "&lt;")