There are relatively few DOM APIs which take a trusted string. innerHTML and outerHTML are two and clearly state that they take HTML so it's no surprise for the stuff you give them to be interpreted thus. But if you use e.g. textContent or createTextNode to insert text into your document, they will correctly sanitise it.
jQuery has text()[0], but because most of its API takes strings to start with, it's very convenient to do the wrong thing and shove untrusted strings into unsafe methods.
> yes, API takes strings, but it calls native DOM at the end anyway
jQuery calls unsafe API which should only be handled trusted strings but makes it easy and convenient to give them untrusted string and thus introduce exploit vectors.
Furthermore it's also significantly more difficult to audit the code, using the regular DOM there are only a pair of attributes to check, whereas pretty much any jQuery method call is a potential security hole.
tldr: jQuery makes doing things wrong very easy, much easier than doing things right.
That is exactly what I’m arguing, yes.
> but it's not really surprising that a function does what it is documented to do
It doesn’t have to be surprising or undocumented to be stupid.