Web applications may be vulnerable to exploitation. For example, a web application may include HyperText Markup Language (HTML) web pages that implement JavaScript to provide user interfaces for dynamic interaction. Portions of a document object model (DOM) of the HTML may come from an unreliable party. For instance, a malicious user may inject malicious data into a database associated with the web application through dynamic interaction with the web application. A benign user may then send a request to the web application and, in response to processing the request, the web application may inject the malicious data from the database into the response HTML sent back to the benign user. The benign user may now interact with the unsafe response HTML and cause JavaScript code to run, which may create vulnerability.