The existence of `innerHtml` or `eval()` or `exec()` etc isn't the problem itself.
After all, you could implement the exact same thing in userspace.
But yes, anytime you have one program writing instructions for the other, you wind up with a risk for bad composition of those instructions.
Fortunately, frameworks and libraries (for SQL and HTML) are increasingly successful at adoption and removing the risk of the programmer using low-level unsafe primitives.
After all, you could implement the exact same thing in userspace.
But yes, anytime you have one program writing instructions for the other, you wind up with a risk for bad composition of those instructions.
Fortunately, frameworks and libraries (for SQL and HTML) are increasingly successful at adoption and removing the risk of the programmer using low-level unsafe primitives.