Why this matters
The bug. innerHTML = userInput parses the input as HTML, including <script> tags. (Modern browsers don't execute inserted <script> tags via innerHTML, but <img onerror>, <svg onload>, and dozens of other vectors still work.)
The fix. Use textContent. The browser inserts a text node; no parsing happens. If you genuinely need formatted output (markdown, etc.), sanitize through DOMPurify *before* setting innerHTML.
Heuristic. The string innerHTML = next to anything that isn't a literal HTML constant deserves a code-review comment.
Review heuristic
Search the diff for dangerouslySetInnerHTML, innerHTML =, document.write, and v-html. Each of those is an opt-out of the framework's safety. Each one needs a justification in the review and a sanitization step on the input.
External reference: CWE-79: Cross-site Scripting.
↳ CWE-79; OWASP A07.