DOMPurify

The DOMParser.prototype.parseFromString function will return a Document:

const parser = new DOMParser()
const doc = parser.parseFromString("<img src=x onerror=alert(1)>", "text/html")
console.log(doc.querySelectorAll("*")) // NodeList(4) [ html, head, body, img]

Assign .innerHTML (equal to <svg></p>whatever) with itself:

const el = document.createElement("div")
el.innerHTML = "<svg></p>whatever" // "<svg></p>whatever"
el.innerHTML = el.innerHTML // "<svg></svg><p></p>whatever"

Quartz 🪬

Explorer

DOMPurify

Resources