Will It Vibe logoWill It Vibe?
WEBSEC-015High severity-15 points

innerHTML/outerHTML assigned a non-literal value

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.

What it detects

innerHTML or outerHTML is assigned a variable or an interpolated template string, which parses the value as live HTML and is a classic DOM XSS sink.

Why it matters

Assigning a variable or an interpolated template string to innerHTML or outerHTML parses it as HTML, so any attacker-influenced part can inject markup and scripts (DOM-based XSS). Values that look internal today often start carrying user data later. Setting text this way is also unnecessary when the content is plain text.

How to fix it

For plain text use textContent (or React/framework rendering), which escapes automatically. When you must insert HTML, sanitize it with DOMPurify.sanitize right before assignment, or build the DOM with createElement and safe property setters instead of an HTML string. Avoid concatenating untrusted values into the markup at all.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks