Is this considered DOM-XSS or self-XSS or both?


A web page shows an error login page using these javascript lines

<script>     let queryParams = new URLSearchParams(;     document.getElementById("message").innerText = queryParams.get("message");     let link = document.getElementById("link");     link.innerText = queryParams.get("linkText");     link.href = queryParams.get("linkUrl"); </script> 

The last javascript line allows me to hide javascript inside a link in the web page crafting an url like the following.

1) the user click the shortened version of this link

2) the user click “click here to shine”

3) the alert opens

I was inspired by this article on portswigger
in particular from this example

If a JavaScript library such as jQuery is being used, look out for sinks that can alter DOM elements on the page. For instance, the attr() function in jQuery can change attributes on DOM elements. If data is read from a user-controlled source like the URL and then passed to the attr() function, then it may be possible to manipulate the value sent to cause XSS. For example, here we have some JavaScript that changes an anchor element’s href attribute using data from the URL:

$ (function(){ $ ('#backLink').attr("href",(new URLSearchParams('returnUrl')); });

You can exploit this by modifying the URL so that the source contains a malicious JavaScript URL. After the page’s JavaScript applies this malicious URL to the back link’s href, clicking on the back link will execute it:


QUESTION: to me they look the same kind of attack but someone told me it is a self-XSS. Anyway I read that self-XSS expects the user to self-paste javascript code in his console. So I’m confused and I’d like to know which type it is. Also, can be considered a vulnerability of medium/high severity or not?