Will It Vibe logoWill It Vibe?
WEBSEC-017Low severity-4 points

Use of document.write()

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 4 points from that category, once per scan, no matter how many places it turns up.

What it detects

document.write/writeln parses its argument as HTML into the document; with any dynamic content it is an XSS sink, and it blocks the parser.

Why it matters

document.write parses its argument as HTML directly into the page, so any dynamic content passed to it is an XSS sink. Called after the page has loaded it wipes the existing document, and during load it blocks the HTML parser, which browsers actively penalize. It is a legacy API with safer replacements for every use.

How to fix it

Build content with DOM methods (createElement, append, textContent) or framework rendering instead. For inserting trusted markup into a known element, set sanitized HTML on that element rather than writing to the whole document. Remove document.write entirely rather than trying to make its input safe.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks