innerHTML/outerHTML assigned a non-literal value
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.
What it detects
innerHTML or outerHTML is assigned a variable or an interpolated template string, which parses the value as live HTML and is a classic DOM XSS sink.
Why it matters
Assigning a variable or an interpolated template string to innerHTML or outerHTML parses it as HTML, so any attacker-influenced part can inject markup and scripts (DOM-based XSS). Values that look internal today often start carrying user data later. Setting text this way is also unnecessary when the content is plain text.
How to fix it
For plain text use textContent (or React/framework rendering), which escapes automatically. When you must insert HTML, sanitize it with DOMPurify.sanitize right before assignment, or build the DOM with createElement and safe property setters instead of an HTML string. Avoid concatenating untrusted values into the markup at all.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo