XSS

What is it?

XSS (Cross-Site Scripting attacks) are when an attacker places malicious code into a website. This usually occurs when the website allows for user input and can be prevented by using javascript validation and preventing HTML markup.

innerHTML; nodeValue; and textContent;

There are three primary ways of updating an HTML element's content after user input.

innerHTML

innerHTML is an expression that gets/sets the HTML within an HTML element. This includes HTML markup that could have been placed within the parentNode. Is vunerable to XSS attacks.

nodeValue

nodeValue is an expression that gets/sets the text-node of an HTML element. This is more specific than textContent in that if there was a nested HTML element within the selected element, nodeValue will work only upon the textnode, not its nested element sibling. Is safe against XSS attacks.

textContent

textContent is an expression that gets/sets the text within the containing element. Will ignore nested HTML elements. Is also safe against XSS attacks.