/mxss · sink: regex sanitizer + element.innerHTML round-trip
Regex sanitizer + client-side innerHTML reparse = parser-mode escape.
The server strips <script> and on* attributes with regex. The client then does preview.innerHTML = template.innerHTML, which reparses the markup. Tags that change tokenization mode (<noscript>, <style>, <svg>) can carry a payload past the sanitizer and reactivate it after the reparse.