DOM XSS Sources & Sinks

	A	B	C	E	F
1	Sources	Description	Example	Sinks	Description
2	document.URL	Assigned value		eval	1st Argument
3	document.documentURI	Assigned value		function	1st argument if only one else last
4	document.URLUnencoded	Assigned value; IE only		setTimeout	1st If and only IF string
5	document.baseURI	Assigned value		setInterval	1st If and only IF string
6	document.cookie	Assigned value		execScript	1st Argument
7	document.referrer	Assigned value		crypto.generateCRFMRequest	5th Argument
8	location	Assigned value		ScriptElement.src	Assigned value
9	location.href	Assigned value		ScriptElement.text	Assigned value
10	location.search	Assigned value		ScriptElement.textContent	Assigned value
11	location.hash	Assigned value		ScriptElement.innerText	Assigned value
12	location.pathname	Assigned value		anyTag.onEventName	Assigned value
13	localStorage.getItem	1st Argument	localStorage.getItem(literal); localStorage.getItem(variable);	document.write	Any arugment
14	sessionStorage.getItem	1st Argument	sessionStorage.getItem(literal); sessionStorage.getItem(variable);	document.writeln	Any arugment
15	sessionStorage.key	1st Argument	sessionStorage.key(literal); sessionStorage.key(variable);	anyElement.innerHTML	Assigned value
16	responseText	Assigned value	xhr.responseText; readonly	Range.createContextualFragment	1st Argument
17	data	Assigned value	postMessage; e.data;	HTMLButton.value	Assigned value
18	value	Assigned value	<textarea>.value; <input>.value	location	Assigned value
19	name	Assigned value		location.href	Assigned value
20	window.name	Assigned value		location.pathname	Assigned value
21	websockets.onMessage		??	location.search	Assigned value
22				location.protocol	Assigned value
23				location.hostname	Assigned value
24				location.assign()	1st Argument
25				location.replace()	1st Argument
26				element.setAttribute('href', source);	If element is img, iframe, script, anchor and source is not a literal
27	Prepared by	@dpnishant		element.setAttribute('src', source);	If element is img, iframe, script, anchor and source is not a literal
28	Legend			element.setAttribute('text', source);	If element is script and source is not a literal
29		Sources Added by me		element.setAttribute('innerText', source);	If element is script and source is not a literal
30		Confused...		element.setAttribute('on*', source);	If source is any element
31		Practical Use Case? Confused...		element.setAttribute('value', source);	If source is input element
32		Sinks added by me
33		Taken from DOMXSSWiki