Security
SecurityLow

Deprecated/Insecure APIs

Checks for use of deprecated or known-insecure JavaScript APIs (eval, document.write, innerHTML).

What this check measures

We scan the JS bundle for `eval(`, `new Function(`, `document.write(`, and direct `.innerHTML =` assignments with dynamic values. These are classic XSS vectors.

Why it matters

eval and document.write are historically XSS's best friends. innerHTML with untrusted data is a step below but still dangerous. All have safer modern alternatives.

search

How our audit detects it

Regex the JS bundle for dangerous API calls. Flag each occurrence with file and line reference where possible.

Typical findings

  • error_outlineeval() of a user-supplied string.
  • error_outlineinnerHTML = userInput — straight XSS.
  • error_outlinedocument.write() still shipping from a legacy script.

How to fix

Replace eval with JSON.parse or a proper expression evaluator. Replace innerHTML with textContent (for text) or DOM creation APIs (for HTML). Never use document.write.

Frequently asked questions

Is innerHTML always bad?expand_more
Bad with untrusted data. With static strings it is fine but still triggers strict-CSP-related warnings. Modern frameworks (React, Vue) avoid it entirely.

Want this checked on your site?

Pantra runs the full audit (SEO, Security, GEO, Performance, Schema, Technical, Images) in 10 seconds and generates stack-specific fix prompts.

Scan my site

Related checks

Security

HTTPS Enabled

Checks that the site serves over HTTPS and redirects HTTP to HTTPS.

Security

TLS Version

Checks that the server uses TLS 1.2 or higher — older versions are broken.

Security

Mixed Content

Checks for HTTP resources loaded on HTTPS pages — browsers block or warn.

Security

SSL Certificate

Checks that the SSL certificate is valid, not expired, and not expiring soon.

Learn more in the Glossaryarrow_forward