Attempt to fix #91, inspired by @mmndaniel's #106

106 attempts to use `XMLSerializer` which after some research fucks up html result and injects some syntax errors.

Running:

const html = `
<iframe onload="top.bypass([this.contentWindow]);"></iframe>
<script>setTimeout(() => top.bypass([window]), 1000)</script>
`;
const template = document.createElement('html');
template.innerHTML = html;
new XMLSerializer().serializeToString(template);

Returns:

'<html xmlns="http://www.w3.org/1999/xhtml"><head></head><body><iframe onload="top.bypass([this.contentWindow]);"></iframe>\n\x3Cscript>setTimeout(() =&gt; top.bypass([window]), 1000)\x3C/script>\n</body></html>'
template.innerHTML

See how the content of the script tag is ruined.

Luckily, replacing the usage of XMLSerializer with a simple innerHTML setter seems to do the trick, god knows why...

LavaMoat / snow

Handle mXSS bypass #108

106 attempts to use `XMLSerializer` which after some research fucks up html result and injects some syntax errors.

LavaMoat / snow

Handle mXSS bypass #108

106 attempts to use XMLSerializer which after some research fucks up html result and injects some syntax errors.

106 attempts to use `XMLSerializer` which after some research fucks up html result and injects some syntax errors.