HTML

Default to text rendering (`textContent`, React's `{value}`) — never `innerHTML` with untrusted input. When you must render HTML, sanitize with DOMPurify on the way *in* and use a strict allow-list. Combine with a Content-Security-Policy that bans inline scripts and `eval`. Treat user-supplied URLs as suspicious — block `javascript:` and `data:` for href/src.

Semantic HTML and accessibility practices

What are semantic HTML elements and why use them

What is srcset in HTML