| Advantages | Disadvantages | ||
| The researchers [73] have presented defensive strategies against DOM-based XSS attacks. Under normal circumstances, the DOM tree is constructed, scripting nodes are extracted, and a whitelist is created for future use. The DOM tree is generated for malicious websites, and the nodes of the DOM tree are parsed for injected script code. Any differences found between the whitelist and the XSS attack are viewed as suspicious compared to each other. | This technique may block the execution of harmless JavaScript code if the whitelist is not matched. | ||
| The researchers [74] proposed the usage of a client-server model to ensure the integrity of the document structure. This approach uses combined runtime tracking and randomization to prevent XSS attacks. As a result of this method, harmful data cannot affect web application content by manipulating the document structure. | This method, which needs modifications on both the client and the server, is unusable in preventing a DOM-based XSS attack. | ||
| As shown in [75] to identify and mitigate Cross-site Scripting (XSS) vulnerabilities on mobile browsers, the authors presented a method that is known as Buffer Based Cache Check. By utilizing a cache, you can avoid the time-consuming and resource-intensive process of continually transmitting the script whitelist to the web page. Instead, the server saves confirmed scripts that correspond to the last time the web page was browsed. If any deviations are discovered, it suggests suspicious activities such as XSS. | Code modifications on both the client and server sides are required for this method, which leads to a decrease in overall performance.
| ||
| The researchers [76] have proposed a new approach to data cleaning using context-sensitive sanitization. Here, the server-side and client-side contexts are determined statically and dynamically. After this, sanitizers’ primitives are applied to the vulnerable variable in accordance with its context. | This technique does not defend against malicious script code obtained from a third party. | ||
| The researchers [77] have proposed a client-server approach that extracts JavaScript code and analyzes it on the client-side. After decoding JS, the injected values are eventually matched with the suspicious variable contexts. As recommended by the authors, the presence of a match indicates an XSS assault. | The matching between requesting parameters and response parameters used in this technique is not capable of detecting DOM-based XSS attacks, which are client-side vulnerabilities. | ||