https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.md Is it possible to apply some HTML Encoding like example above: To make dynamic updates to HTML in the DOM safe, we recommend: HTML encoding, and then JavaScript encoding all untrusted input, as shown in these examples: var ESAPI = require('node-esapi'); element.innerHTML = "<%=ESAPI.encoder().encodeForJavascript(ESAPI.encoder().encodeForHTML(untrustedData