After messing around for one day I came across this answer.
seems like this was a wasted effort and I need to go a different route.
when I am setting elem.innerHTML to <script>alert(1)</script>
it becomes unescaped. (i see while I type this in the composer, that it will be removed in the preview if I type it unescaped.) is this a problem or will CSP stop it?
https://meta.discourse.org/t/mitigate-xss-attacks-with-content-security-policy/104243!csp error|690x191
posts including script tags as part of an explanation also seem to create these CSP errors. I am really confused now. Do I need to worry about stored xss at all, or will CSP just block it? in the composer i use ckeditor which prevents from selfxss. If I need to worry about it, it seems like I need to prune unsafe tags. I just do
value = Loofah.fragment(value).scrub!(:escape).to_s
at the moment, but it seems to have no effect at all because setting elem.innerHTML to this value will just unescape the html entities.
EDIT: I finally found the source of my confusion: inspect element will not show you the real html. it will convert html entities already.
if you click on editashtml in the inspector, it becomes clear that everything is actually fine. seeing otherwise invisible tags being rendered should have already pointed me in this direction.