Text is a sequence of characters. HTML is a sequence of tags and HTML-encoded text. Some text can be interpreted as HTML. Some of that HTML can be malicious. The bottom line is if you take text, and you give it to something which expects HTML, you will encounter bugs with non-alphanumerics, XSS holes, or both.<p>Let's look at the methods discussed in the article. textContent gives you the text inside of an element, ignoring any tags. This text can certainly look like HTML, and that HTML can be malicious.<p>createTextNode takes text and creates a node with that text as its content. innerHTML of that gives you HTML that, when rendered, is the sequence of characters that matches the text you passed it. If you want a sequence of HTML which cannot contain tags, creating a text node and immediately grabbing the HTML within it certainly is a safe way to do it.<p>In general, "escaping" is the wrong way to think about it. You have functions which can convert text to the equivalent HTML, and you have functions which extract the text within a DOM node. While sometimes the HTML which renders as a given text string is the same as the string, this is definitely not always the case.