I was looking at the code and I don't think you're using DOMParser.
It's a bit modern of course and doesn't support Node but I think this would be a better way to go.
It would allow you to use the same parsing algorithm as the browser, which I assume is more tested, reduce the surface area of your code and possibly remove exploitable bugs.
Maybe there's a reason the current code is preferred?
I was looking at the code and I don't think you're using DOMParser.
It's a bit modern of course and doesn't support Node but I think this would be a better way to go.
It would allow you to use the same parsing algorithm as the browser, which I assume is more tested, reduce the surface area of your code and possibly remove exploitable bugs.
Maybe there's a reason the current code is preferred?