This is now available natively as RegExp.escape(). You can also use this to escape a string that is inserted into the middle of a regex, for example, into a character ...
This page documents recurring attack classes that DOMPurify and other DOM-based HTML sanitizers have had to withstand: HTML parser mutation, namespace confusion, rawtext breakouts, depth-limit ...