Preventing XSS

Cross-site scripting (XSS) occurs when attackers inject malicious scripts into web pages viewed by other users.

• Use `textContent` instead of `innerHTML` to prevent script injection.
• Sanitise user input with libraries like DOMPurify.
• Implement a Content Security Policy (CSP) to block unauthorised scripts.

// Unsafe: Using innerHTML (XSS risk)
document.getElementById("output").innerHTML = userInput;

// Safe: Using textContent
document.getElementById("output").textContent = userInput;