To be honest I don't remember because I haven't injected user input into the browser, maybe ever, in vanilla javascript and would utilized React and Vue to handle that. If I had to allow user input I would use React's dangerouslySetInnerHTML and some 3rd party package to sanitize the input.