DOMPurify before 2.0.1 allows XSS because of innerHTML mutation XSS for an SVG element or a MATH element, as demonstrated by Chrome and Safari.