Comment by rafram

That's absolutely not true. Sanitization on the client is significantly safer, because the client knows how it parses HTML, while the server can, at best, guess (and hope it follows the spec).

When you set element.textContent = someUserGeneratedContent, the browser guarantees that the user-generated content will never be parsed as HTML.

response.write("<div>" + sanitize(someUserGeneratedContent) + "</div>") has no such guarantee.