Security S-10
User Content
Is Untrusted HTML.
innerHTML
el.innerHTML = userInput
<script>steal()</script>
Escaped output
&lt;script&gt;…
Rendered as text, not code
LaunchYourVibe S-10
User-generated content rendered directly to the DOM is an XSS vector. Escape or sanitize everything that came from a user before it touches the page.
View all cards