:\n\ninnerHTML executes the script (XSS attack)\ninnerText displays it as harmless text\n\nFor complex HTML insertion:\n// Create elements programmatically\nconst p = document.createElement(\"p\");\np.textContent = userInput;\ncontainer.appendChild(p);\n\n", "dateModified": "2026-06-20T17:11:56+00:00" } } }

LOGBOOK

HELP

Quiz Entry - updated: 2026.06.20

How do you safely insert user-provided content into the DOM?

Assign user input with innerText or textContent (which escape HTML) instead of innerHTML, so injected scripts cannot run.

// UNSAFE - allows script injection
element.innerHTML = userInput;

// SAFE - escapes HTML characters
element.innerText = userInput;
element.textContent = userInput;

Why it matters: If userInput contains <script>alert('hacked')</script>:

  • innerHTML executes the script (XSS attack)
  • innerText displays it as harmless text

For complex HTML insertion:

// Create elements programmatically
const p = document.createElement("p");
p.textContent = userInput;
container.appendChild(p);

From Quiz: WEBT / Frontend | Updated: Jun 20, 2026