createContextualFragment() should do adopt node or some such

[annevk]

The HTML fragment parsing algorithm creates its own dummy document. Which means that

document.createRange().createContextualFragment(`<img src=x onerror=alert(1)>`)

should technically not alert as things are currently defined (images are only fetched in active documents). However, it does. In all browsers. And if you check the node document of the returned fragment it will match document, which is an active document.

[rniwa]

Yeah, we need to use the same document as that of Range object here. I just noticed that createContextualFragment also has code to get rid of html, head, & body elements. That is very strange.