include::../description.adoc[]

== Noncompliant Code Example

Example of basic DOM-XSS attack (http://vulnerable/page.html#<img onerror='alert(1); src='invalid-image' />):

----
const rootDiv = document.getElementById('root'); 
const hash = decodeURIComponent(location.hash.substr(1)); 
rootDiv.innerHTML = hash;
----

== Compliant Solution

https://developer.mozilla.org/en-US/docs/Web/API/HTMLElement/innerText[innerText] property of an html element sets or returns the text content of the element (removing all child nodes):

----
const rootDiv = document.getElementById('root'); 
const hash = decodeURIComponent(location.hash.substr(1)); 
rootDiv.innerText = hash;
----

include::../see.adoc[]