Book title and author data are injected directly into `innerHTML` without sanitization