It should have been done via DOM manipulation in the first place. What Signal developers did can be compared to constructing raw SQL requests where parameterized queries suffice. Thankfully, it was just fixed: https://github.com/signalapp/Signal-Desktop/commit/4e5c8965f...
https://github.com/signalapp/Signal-Desktop/commit/9d41b8616...
> Remove escaping from `linkText` > We leverage jQuery’s HTML escaping in `$.html(…)`.
ummm.... wat