To clarify the purpose of this method, it is beginning the process of separating the two
String cases that
$() handles: selectors and HTML serialization. There was some discussion in #11974 that implied it may be misunderstood as some sort of "XSS-proof HTML processing." **It is not.**
We want to mitigate the chances that a jQuery dev calls
$(selector) thinking it is a CSS selector, but Mr. Bad Guy has managed to get script into
selector and therefore executes it. We're doing that by providing
$.parseHTML and eventually locking down the HTML recognition of
$() to a small subset.
If/when environments provide better ways to sandbox, the ability of
$.parseHTML() to make the dev's intentions clear will come in handy. However, no matter the method, jQuery allows devs to parse and execute scripts. If they process complex HTML with script and allow that script to come from untrusted or corruptible sources, it is still possible to make successful XSS attacks--just as it would be if the dev wrote their code in bare DOM methods.