If you're constructing your unsandboxed parent document HTML using string concatenation, you might as well not use the sandboxed iframe at all. But presumably someone who bothers to sandbox untrusted content also knows about setAttribute(), or the srcdoc JS property.

You can entity-encode the content in the srcdoc= attribute to robustly solve that problem, or populate it via the DOM.

s/"/"/g