Are DOM based XSS attacks still possible in modern browsers?

Question

I am currently doing some research into XSS prevention but I am a bit confused about DOM based attacks. Most papers I have read about the subject give the example of injecting JavaScript through URL parameters to modify the DOM if the value is rendered in the page by JavaScript instead of server-side code.

However, it appears that all modern browsers encode all special characters given through URL parameters if rendered by JavaScript.

Does this mean DOM based XSS attacks cannot be performed unless against older browsers such as IE6?

Answer 1

Forget about those old-school XSS exampls from 10 years ago. Programmers who write javascript to render page by taking something unescaped from query params have either been fired or switched to frameworks like angular/backbone a long time ago.

However, reflected/stored XSS still widely exists. This requires proper escaping from both server side and client side. Modern frameworks all provide good support for escaping sensitive characters when rendering the HTML. For example, when rendering views from model data, angular has $sce(strict contextual escaping) service ( https://docs.angularjs.org/api/ng/service/ $sce) to address possible XSS threats. backbone models also have methods like "model.escape(attribute)" ( http://backbonejs.org/#Model-escape ) to eliminate the XSS threats.

Answer 2

They are absolutely possible. If you don't filter output that originated from your users, that output can be anything, including scripts. The browser doesn't have a way to know whether it is a legitimate script controlled by you or not.

It's not a matter of modern browsers, it's the basic principle that the browser treats every content that comes from your domain as legitimate to execute.

There are other aspects that are indeed blocked (sometimes, not always) by modern browsers (although security flaws always exist) like cross-domain scripting, 3rd party access to resources etc.