domxss.html
<html>
<p id="name">Hello<p>
<script>
var url = new URL(window.location.href);
var name = url.searchParams.get("name");
document.getElementById('name').innerHTML = 'Hello ' + name;
</script>
</html>
http://localhost/?name=<svg/onload=alert(1)>
location.href
為 source 未過濾的輸入來源innerHTML
為 sink 真正執行不信任資料導致 DOM XSS 的地方document.write()
window.location
document.cookie