https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.md
Is it possible to apply some HTML Encoding like example above:
To make dynamic updates to HTML in the DOM safe, we recommend:
HTML encoding, and then
JavaScript encoding all untrusted input, as shown in these examples:
var ESAPI = require('node-esapi');
element.innerHTML = "<%=ESAPI.encoder().encodeForJavascript(ESAPI.encoder().encodeForHTML(untrustedData