Why this matters
The bug. innerHTML = parses the right-hand side as HTML before inserting it. Any tag with an event handler (onerror, onload, onfocus) becomes a script-execution primitive. This is the textbook reflected-XSS vector and has been the most-reported web vulnerability for two decades.
The fix. textContent (or innerText, with subtle whitespace differences) writes the string as a text node — no parsing, no execution. The visible greeting is identical; the threat surface vanishes.
Heuristic. Any innerHTML = in a code review needs a justification. If the answer is 'we want the formatting', the answer to *that* is a sanitizer. If the answer is 'it's just a name', use textContent and stop arguing.
Review heuristic
Search the diff for dangerouslySetInnerHTML, innerHTML =, document.write, and v-html. Each of those is an opt-out of the framework's safety. Each one needs a justification in the review and a sanitization step on the input.
External reference: CWE-79: Cross-site Scripting.
↳ OWASP Top 10 A03; CWE-79.