The third type (developed by Amit Klein and available since 2005), DOM XSS, occurs when client-side code uses insecure references to DOM objects that are not entirely controlled by server-provided pages. Generally, but not limited to, APIs that dynamically inject attacker-controllable data to a page and JavaScript frameworks. Single-page applications are vulnerable to DOM XSS.
XSS protection needs to filter malicious content from user input and also needs encoding (escape).