For example, if a streamer were to allow a command that takes a viewer's input and display that using $test, the user could maliciously insert "" as their text.
To avoid this issue, please use textContent to set values.
text.textContent = MySet.message;
When displaying text, the code set innerHTML and displays the value.
text.innerHTML = MySet.message;
This method of setting text if extremely vulnerable to DOM-based cross-site scripting.
For example, if a streamer were to allow a command that takes a viewer's input and display that using $test, the user could maliciously insert "" as their text.
To avoid this issue, please use textContent to set values.
text.textContent = MySet.message;