fix: use `setAttribute` instead of `innerHTML` to prevent xss

js/controllers/slidecontent.js

@@ -142,13 +142,15 @@ export default class SlideContent {
 
 					// Support comma separated lists of video sources
 					backgroundVideo.split( ',' ).forEach( source => {
+						const sourceElement = document.createElement( 'source' );
+						sourceElement.setAttribute( 'src', source );
+
 						let type = getMimeTypeFromFile( source );
 						if( type ) {
-							video.innerHTML += `<source src="${source}" type="${type}">`;
-						}
-						else {
-							video.innerHTML += `<source src="${source}">`;
+							sourceElement.setAttribute( 'type', type );
 						}
+
+						video.appendChild( sourceElement );
 					} );
 
 					backgroundContent.appendChild( video );