We'll add a text input box to patio11bot, and a button that allows the user to ask a question.
Then, we'll use vanilla javascript (so no jQuery or other framework) to grab that input.
Is it secure enough to put raw user's input directly into the page as HTML?
This site is just a static site that doesn't even have a backend, so yes - it's perfectly safe to put user input on the page like that. There's nothing that they could mess up except for their own browser.
But you bring up a good point: if this input was going back into a database, and then was going to be served and displayed on other people's browsers, then you would need to worry about sanitizing inputs, etc at that point.
Because of things like that, making this lesson just made me appreciate front end frameworks like React even more. I hadn't written vanilla javascript to manipulate the DOM like that in a while - and you forget how fragile and messy it was before the modern frameworks :)