In a reflected DOM XSS vulnerability, the server processes data from the request, and echoes the data into the response. When you are in a DOM execution context you only need to JavaScript encode HTML attributes which do not execute code (attributes other than event handler, CSS, and URL attributes). Quoting makes it difficult to change the context a variable operates in, which helps prevent XSS. For example, the general rule is to HTML Attribute encode untrusted data (data from the database, HTTP request, user, back-end system, etc.) Sometimes you can't change the offending code. This is commonly seen in programs that heavily use custom JavaScript embedded in their web pages. See Browser compatibility for up-to-date cross-browser support information.Key TermDOM-based cross-site scripting happens when data from a user controlled source (like user name, or redirect URL taken from the URL fragment) reaches a sink, which is a function like eval() or a property setter like .innerHTML, that can execute arbitrary JavaScript code. At a basic level XSS works by tricking your application into inserting a