TL;DR not even assumed sanitized HTML and CSS can be trusted in el.innerHTML or $(el).html(). Increase security by using JavaScript sanitizer like Google Caja.

More info:
http://www.nds.rub.de/research/publications/mXSS-Attacks/
http://www.slideshare.net/x00mario/the-innerhtml-apocalypse

Original issue nette/nette#1496

I would suggest delegating $(el).html(snippet) to separate method and by default using secure implementation via TrueHTML or at least sanitizing the input.
I haven't done enough research on this topic and futher research is necessary. Known affected are old versions of IE (8, 9), Firefox, Chrome. IE 11 XSS filter shows warning even for false positives which might break trust between user and site.