The essence of the idea is simple, and works like this:
And in the PHP:
var div = document.createElement("div");
div.innerHTML = markup;
Of course, there's a whole load more code (e.g. I have a mechanism for displaying the pop-up near the mouse and for allowing the user to close the pop-up, etc, etc, etc), but that is irrelevant to my question.
$markup = "<h3>Help</h3><p>You clicked on help, so here it is.</p>";
Note also that $markup can contain anything I want - e.g. it could contain a form.
Note also that the server populates $markup with predictable content - it is NOT populated by the user.
Are there any security risks inherent in the code as I have posted it? (i.e. barring the fact that $markup could be used for code injection, but I have accounted for that and mitigated against it).