WordPress · hbhalodia · Nov 21, 2025 · Nov 26, 2025 · Nov 26, 2025 · Nov 26, 2025
diff --git a/src/js/_enqueues/wp/sanitize.js b/src/js/_enqueues/wp/sanitize.js
@@ -25,20 +25,25 @@
 		stripTags: function( text ) {
 			let _text = text || '';
 
-			// Do the search-replace until there is nothing to be replaced.
-			do {
-				// Keep pre-replace text for comparison.
-				text = _text;
-
-				// Do the replacement.
-				_text = text
-					.replace( /<!--[\s\S]*?(-->|$)/g, '' )
-					.replace( /<(script|style)[^>]*>[\s\S]*?(<\/\1>|$)/ig, '' )
-					.replace( /<\/?[a-z][\s\S]*?(>|$)/ig, '' );
-			} while ( _text !== text );
+			const domParser = new DOMParser();
+			const htmlDocument = domParser.parseFromString(
+				_text,
+				'text/html'
+			);
+
+			/*
+			 * This looks funny and appears to be a no-op, but it
+			 * enforces the escaping. How? when _read_ the `innerText`
+			 * property decodes character references, returning a raw
+			 * string. When _written_, however, it re-encodes to ensure
+			 * that the rendered text replicates what it’s given.
+			 *
+			 * See: https://github.com/WordPress/wordpress-develop/pull/10536#discussion_r2550615378
+			 */
+			htmlDocument.body.innerText = htmlDocument.body.innerText || '';
 
 			// Return the text with stripped tags.
-			return _text;
+			return htmlDocument.body.innerHTML;
 		},
 
 		/**