Not really... all the risks are to get your page broken... on client side only. But anyway, even without using innerHTML a malicious user could easily inspect your code and modify it. That's why there's a lot of restricting security rules for js scripts in browsers ;) The potential risk you could facing is to expose sensitive information in your source code, and when you send request to the server: on the backside, you'll need to NOT trust data provided by users (sql requests are unsafe to send to database without strong checking, for example)...