It looks similar to Lit code, but it's not Lit, so yes, it is XSS waiting to happen all right. If it were Lit it would be escaped. It would start with html` which evaluates to a TemplateResult and the render() function only accepts a TemplateResult.