I am surprised there is no policy that would allow inline event handlers set in the initial payload (or stuff emitted by document.write), but neuter any done after initial render by `….setAttribute('on…', …)`.
That would keep "static form" helpers still functional, but disable (malicious) runtime templating.