Safary XSLTProcessor removes event handler attributes

I can not reproduce the issue on Safari on my iPhone nor my iPad
so it might be something macOS related only
Just to see the the processor used in all cases I did this fiddle
https://jsfiddle.net/gq82a3tb/
but it does not seem to help
(I also did add the version attribute to the stylesheet element, even when not used it still is mandatory in a stylesheet) 

That's right, on iOS it works fine. The problem is only on macOS.
I noticed, the onclick is not removed when transformToFragment() is used
I've had issues to use it though, since a lack of support of disable-output-escaping="yes" on some browsers, etc.

transformToFragment()
Even though disable-output-escaping="yes" is supported in WebKit, there is another problem - it removes the <td> elements if it is not inside a table. Here is a fiddle: https://jsfiddle.net/69oem2b7/9

I think you should avoid disable-output-escaping as much as possible anyway

You parse the result document as an XML.
Have you tried to explicitly set the output method to XML?
as your result is a fragment of HTML, the serialiser might have another opinion
<xsl:output method="xml"/>

There is a bit of parsing and serialisation going on, I guess the problem is the XML string to HTML innerText filtering
You could try to set the serialisation to html
<xsl:output method="html"/>
and set the innerHTML instead
it would save you the extra serializeToString on line 20

But I can not test any of those by lacking a macOS system

should avoid disable-output-escaping as much as possible

I don't know how else can I output data which is actually an HTML (say from a database field)

Have you tried to explicitly set the output method to XML?

Having an explicit output method xml does not change a thing.
Actually, in the real sites I always set the method to xml with

<xsl:output method="xml" encoding="windows-1252" omit-xml-declaration="no" /> 

Select allOpen in new window

I'd prefer not to use the html method because in some cases a transformation output is an input for another transformation.

I guess the problem is the XML string to HTML innerText filtering

No, it is filtered out during the transformation, not the serialization or innerHTML insertion. I added the following line, it shows null (on macOS Safari only)

alert(res_d.documentElement.getAttribute("onclick"));

Select allOpen in new window

OK, I see

Fragile as it seems, different approaches to the same, might lead to different results
Have you tried adding the attributes with an xsl:attribute instead of literal attributes in the a element?
It is a slightly different construction of the output tree, so it might have an effect

It also protects you in case the parseFromString gets it out from the XSLT source rightaway

But shooting in the dark with this

Just tried, to declare the onclick as <xsl:attribute name="onclick">alert(1);</xsl:attribute>
Still omitted from the result.

I found a solution, but I am pretty much uncertain it would not bring me other troubles somewhere (see below).
It consists of the following:
1. use transformToFragment() to transform
2. output method="xml"
3. All XSLT files, top level and imported utility have to declare the namespace xmlns="http://www.w3.org/1999/xhtml"

Here is a fiddle: https://jsfiddle.net/w9tudsy8/1/

It inserts xmlns="http://www.w3.org/1999/xhtml" in all output nodes, and I don't know how to get rid of it.
Also, I am not sure as it might change the browser behaviour in some part. All the site pages have <!DOCTYPE html> making them HTML5 compatible. I afraid that having the namespace xmlns="http://www.w3.org/1999/xhtml" would modify that somehow.