Safe DOM manipulation with the Sanitizer API | Articles | web.devconst user_input = `<em>hello world</em><img src="" onerror=alert(0)>` $div.innerHTML = user_input If you escape HTML special characters in the input string or expand it using .textContent, alert(0) isn't executed. However, since <em> added by the user is also expanded as a string as it is, this method cannot be used in order to keep the text decoration in HTML. The best thing to do here is not es
