Cookies Referrer Window name LocalStorage

Within an in-line script:

Within a script include:

SessionStorage

Within an in-line script:

Within a script include:

PostMessage

Sinks located inside a PostMessage handler missing a proper origin check.

Event triggering

This class of XSS is only triggered after an event is fired

These XSS from input values trigger only after being actually typed (input field receiving typing / change events)

javascript:-URIs

javascript:-URIs have implicit document open/write behavior that can be used to write unsanitized HTML.

DOM Propagation

XSS payload gets stored in DOM and later retrieved in JavaScript