Change XXS-challenge so `textContent` is used instead of `innerText`

[teodor-elstad]

The attribute innerText is usually thought to be safe, but as described in the DOM based XSS Prevention Cheat Sheet, this is not always the case (for instance when using a <script>-tag. It's better therefore to use the attribute textContent.

In addition, textContent is more performant.