Use of document.write()
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 4 points from that category, once per scan, no matter how many places it turns up.
What it detects
document.write/writeln parses its argument as HTML into the document; with any dynamic content it is an XSS sink, and it blocks the parser.
Why it matters
document.write parses its argument as HTML directly into the page, so any dynamic content passed to it is an XSS sink. Called after the page has loaded it wipes the existing document, and during load it blocks the HTML parser, which browsers actively penalize. It is a legacy API with safer replacements for every use.
How to fix it
Build content with DOM methods (createElement, append, textContent) or framework rendering instead. For inserting trusted markup into a known element, set sanitized HTML on that element rather than writing to the whole document. Remove document.write entirely rather than trying to make its input safe.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo