description

handling potentially unsafe content: html injection risk (malicious also).

javascript injection also possible by means of injecting a "script" html tag

javascript through "href" html attribute is also possible.

javascript through "onclick" and "onmouseover" are demonstrated also.

distinction between innerText and innerHTML

input of safe or unsafe (malicious also)

here fetch() is demonstrated for content from HTTP (both static and dynamic content, from http servers, files and/or web apps/apis)

fetch_div1.innerText = text

fetch_div2.innerHTML = text

ES6 string e.g. from PHP's echo