Developers should use the following prevention steps to avoid introducing XSS into their application. Semgrep rule to identify above dom xss link. When the iframe is loaded, an XSS vector is appended to the hash, causing the hashchange event to fire. At a basic level XSS works by tricking your application into inserting a