So is this basically a safe version of innerHTML?
replies(2):
Whether I generate a whole page or generate a partial page and then add HTML to it is equivalent from a safety perspective.
Hmmm...
Markdown implementations can do any of that, only allowing a whitelist of HTML elements (GFM), or not allowing HTML at all.
Solutions in the form of pre-existing HTML sanitisation libraries have existed for years but countless websites still manage to get XSS'd every year because not everyone capable of writing code is capable of writing secure code.