diff --git a/packages/core/src/sanitization/inert_body.ts b/packages/core/src/sanitization/inert_body.ts
index 0d7173f01a..d4aed03163 100644
--- a/packages/core/src/sanitization/inert_body.ts
+++ b/packages/core/src/sanitization/inert_body.ts
@@ -6,6 +6,8 @@
  * found in the LICENSE file at https://angular.io/license
  */
 
+import {trustedHTMLFromString} from '../util/security/trusted_types';
+
 /**
  * This helper is used to get hold of an inert tree of DOM elements containing dirty HTML
  * that needs sanitizing.
@@ -36,8 +38,9 @@ class DOMParserHelper implements InertBodyHelper {
     // in `html` from consuming the otherwise explicit `</body>` tag.
     html = '<body><remove></remove>' + html;
     try {
-      const body = new (window as any).DOMParser().parseFromString(html, 'text/html').body as
-          HTMLBodyElement;
+      const body = new window.DOMParser()
+                       .parseFromString(trustedHTMLFromString(html) as string, 'text/html')
+                       .body as HTMLBodyElement;
       body.removeChild(body.firstChild!);
       return body;
     } catch {
@@ -71,7 +74,7 @@ class InertDocumentHelper implements InertBodyHelper {
     // Prefer using <template> element if supported.
     const templateEl = this.inertDocument.createElement('template');
     if ('content' in templateEl) {
-      templateEl.innerHTML = html;
+      templateEl.innerHTML = trustedHTMLFromString(html) as string;
       return templateEl;
     }
 
@@ -83,7 +86,7 @@ class InertDocumentHelper implements InertBodyHelper {
     // down the line. This has been worked around by creating a new inert `body` and using it as
     // the root node in which we insert the HTML.
     const inertBody = this.inertDocument.createElement('body');
-    inertBody.innerHTML = html;
+    inertBody.innerHTML = trustedHTMLFromString(html) as string;
 
     // Support: IE 9-11 only
     // strip custom-namespaced attributes on IE<=11
@@ -129,7 +132,8 @@ class InertDocumentHelper implements InertBodyHelper {
  */
 export function isDOMParserAvailable() {
   try {
-    return !!new (window as any).DOMParser().parseFromString('', 'text/html');
+    return !!new window.DOMParser().parseFromString(
+        trustedHTMLFromString('') as string, 'text/html');
   } catch {
     return false;
   }