<img src="x" onerror="alert('hi! here is some fresh new xss, enjoy ')">
Did this ever work? I found out that almost none of the attributes get passed through the API
*I tested style attribute too. Didn’t work
even if this worked jeffalo’s dompurify would cut the invalid src and possibly the onerror @jeffalo pls confirm