Okay so i have a JS function that take my server response that would be multiple html Elements.

I add all of those elements with innerHTML and i know it can cause XSS attack but i struggle to understand how XSS work but i have a vague idea on how it work. I was just wondering if in this configuration it could cause XSS?

Also on the server side everything is sanitized to prevent any html user input.

JS Code :

function searchCharacter(search_param){
  let main_screen = document.getElementById("main_screen");
  while(main_screen.firstChild){
    main_screen.removeChild(main_screen.firstChild);
  }  

  var xhttp = new XMLHttpRequest();
  
  xhttp.onreadystatechange = function() {
    if (this.readyState == 4 && this.status == 200) {
      main_screen.innerHTML = this.response
    }
  };

  let url = ("Menu.php?search="+search_param);
  xhttp.open("POST", url, true);
  xhttp.send();
}

Php code :

    if(isset($_REQUEST["search"]))
    {
        $search_parameter = $_REQUEST["search"];
        get_characters($account_id, $search_parameter, $expiration_date, $dbh);

        exit();
    }