// Try to use `textContent` instead of innerHTML as innerHTML can be hacked. document.getElementById("myHeader").textContent = "Heading"