CodeClarityLab / Glossary
Ctrl K
← CodeClarityLab Home
Browse by Category
+ added · updated 7d
⚖ Terms of Use
← Back to glossary

DOM Manipulation

javascript ES5 Beginner
debt(d5/e1/b3/t7)
d5 Detectability Operational debt — how invisible misuse is to your safety net

Closest to 'specialist tool catches it' (d5), because the detection_hints list eslint and semgrep as the tools, and the code_pattern specifically targets innerHTML with user-supplied content without DOMPurify. ESLint rules for no-unsanitized or semgrep patterns can flag these, but they require configuration beyond default linting, placing this squarely at d5.

e1 Effort Remediation debt — work required to fix once spotted

Closest to 'one-line patch or single-call swap' (e1), because the quick_fix explicitly states 'Use textContent not innerHTML for user-generated text; use createElement+appendChild for structured content' — in most cases this is a direct property swap at the call site, not a multi-file refactor.

b3 Burden Structural debt — long-term weight of choosing wrong

Closest to 'localised tax' (b3), because applies_to is scoped to web contexts only, and the burden is felt in individual components where DOM manipulation is written rather than being cross-cutting or architectural. Future maintainers must remember safe patterns per-usage but the rest of the codebase is largely unaffected.

t7 Trap Cognitive debt — how counter-intuitive correct behaviour is

Closest to 'serious trap' (t7), because the misconception field explicitly describes a non-obvious, cross-boundary confusion: developers believe PHP-originated content is safe because it was sanitized server-side, but if user input was stored then rendered, XSS is still possible client-side. This contradicts the mental model that 'backend = trusted' and is a documented, commonly hit gotcha that contradicts how server-side sanitization is understood to work.

About DEBT scoring → scored by claude-sonnet-4-6 · 2026-05-09 · reviewed by human

Also Known As

querySelector createElement DOM API innerHTML

TL;DR

querySelector, createElement, innerHTML — reading and modifying PHP-rendered HTML from JavaScript.

Explanation

querySelector('#id') and querySelectorAll('.class') are the modern API. createElement + appendChild for safe node creation. innerHTML is fast but XSS-vulnerable with user content — use textContent for text, createElement for structured content. dataset reads data-* attributes set by PHP. PHP renders HTML; JavaScript enhances it progressively. getElementById is slightly faster for id lookups but querySelector is more flexible.

Common Misconception

innerHTML is safe as long as the content comes from your PHP backend — if the PHP content originally came from user input that was stored then rendered, XSS is still possible; use textContent for user-generated text.

Why It Matters

PHP renders the initial HTML; JavaScript manipulates it client-side for dynamic UX — understanding safe DOM patterns prevents XSS while enabling rich interactivity.

Common Mistakes

  • Using innerHTML with user-generated content — XSS risk
  • Not checking if element exists before accessing properties
  • document.write() — blocks parser and overwrites document
  • Querying DOM before DOMContentLoaded fires

Code Examples

✗ Vulnerable 
// XSS if username comes from user input via PHP:
document.querySelector('#greeting').innerHTML = 'Hello ' + username;

// Race condition — element may not exist yet:
const el = document.querySelector('#late-element').textContent;
✓ Fixed 
// Safe text insertion:
document.querySelector('#greeting').textContent = 'Hello ' + username;

// Safe structured content:
const li = document.createElement('li');
li.textContent = item.name; // safe
li.dataset.id   = item.id;
list.appendChild(li);

// Read PHP data-* attributes:
const userId = document.querySelector('[data-user-id]')?.dataset.userId;
Added 17 Mar 2026
Edited 22 Mar 2026
Views 33

Curated in Warsaw under one editorial standard. 1,448 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
0 pings T 0 pings F 0 pings S 1 ping S 0 pings M 0 pings T 0 pings W 1 ping T 0 pings F 3 pings S 0 pings S 0 pings M 0 pings T 0 pings W 1 ping T 0 pings F 1 ping S 1 ping S 0 pings M 0 pings T 0 pings W 0 pings T 0 pings F 1 ping S 0 pings S 0 pings M 0 pings T 0 pings W 1 ping T 0 pings F
Agents 0
No pings yet today
Amazonbot 8 Perplexity 5 Ahrefs 3 Google 3 Unknown AI 3 SEMrush 2 Meta AI 1 Majestic 1
Also referenced
Cross-Site Scripting (XSS) 31 Client-Side Sanitisation 28 Event Delegation 27 Template Literals 22
How they use it
crawler 23 crawler_json 1 pre-tracking 2
Related categories
security 4.6k javascript 2.5k
DEV INTEL Tools & Severity
🟠 High ⚙ Fix effort: Low
⚡ Quick Fix
Use textContent not innerHTML for user-generated text; use createElement+appendChild for structured content
📦 Applies To
javascript ES5 web
🔗 Prerequisites
🔍 Detection Hints
innerHTML with user-supplied or database-sourced content without DOMPurify; document.write usage
Auto-detectable: ✓ Yes eslint semgrep
⚠ Related Problems
🤖 AI Agent
Confidence: Medium False Positives: Medium ✗ Manual fix Fix: Medium Context: Function Tests: Update
CWE-79
✓ schema.org compliant