False positive - DOMParser().parseFromString is treated as XSS sink

[tyage]

Description of the false positive

CodeQL considers DOMParser().parseFromString as XSS sink but I think it is no longer XSS sink.

Though there was a bug in Safari some years ago, but the method is designed not to execute JavaScript as far as I read the discussions in GoogleChrome/web.dev#6890 and the spec.

https://html.spec.whatwg.org/multipage/dynamic-markup-insertion.html#dom-domparser-parsefromstring-dev

Note that script elements are not evaluated during parsing, and the resulting document's encoding will always be UTF-8.

Code samples or links to source code

https://github.com/microsoft/vscode/blob/57bceb67381bd630e4e7bac7a8ea170fd2f0b01e/extensions/markdown-language-features/preview-src/index.ts#L133-L134

codeql/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/tst.js

Lines 177 to 180 in b6a7661

	var target = document.location.search
	var parser = new DOMParser();
	parser.parseFromString(target, "application/xml"); // NOT OK

URL to the alert on GitHub code scanning (optional)