Let’s say you have an input-based navigation system like so:


<!DOCTYPE html>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="X-UA-Compatible" content="ie=edge">
<title>Bob's Books</title>
<link rel="stylesheet" href="main.css">
<script defer src="script.js"></script>
<h1>Bob's Books</h1>
<div id="default">
<p><i>Where would you like to go?</i></p>
<input id="location" type="text" placeholder="Where would you like to go?">
<button id="go">Go!</button>
<div id="result" hidden>
<!-- ... -->
<!-- Elements with spans for things like name, image, etc. that have IDs handled in script -->
This Project Is Under The MIT License.


*, *::before, *::after {
box-sizing: border-box;
body {
font-family: Arial, Helvetica, sans-serif;
/* ... */


// ...
// <span>.innerHTML = <requestedLocation>;

Now, this would be great, right? … Not so much.

If a malicious person wanted to execute scripts messing with databases, importing scripts, etc., they would type something like this:

<script>function goodbyeBob(){/*...*/}</script><img src onerror="goodbyeBob()"/>

And, since innerHTML allows HTML, all of that malicious JavaScript code would get executed heartily.

How To Fix

Change all references to innerHTML from user-input to innerText. If you want SOME HTML features to be able to be entered by the user and executed (preferrably filtered), use .replace(), if ... else, guard clauses, etc.