What is it?

XSS (Cross-Site Scripting attacks) are when an attacker places malicious code into a website. This usually occurs when the website allows for user input and can be prevented by using javascript validation and preventing HTML markup.

innerHTML; nodeValue; and textContent;

There are three primary ways of updating an HTML element's content after user input.


innerHTML is an expression that gets/sets the HTML within an HTML element. This includes HTML markup that could have been placed within the parentNode. Is vunerable to XSS attacks.


nodeValue is an expression that gets/sets the text-node of an HTML element. This is more specific than textContent in that if there was a nested HTML element within the selected element, nodeValue will work only upon the textnode, not its nested element sibling. Is safe against XSS attacks.


textContent is an expression that gets/sets the text within the containing element. Will ignore nested HTML elements. Is also safe against XSS attacks.