Please note that KirbyText is just an extension of Markdown, which is an extension of HTML. Which means: KirbyText may as well contain HTML. Therefore you need to strip all HTML tags from the KirbyText on the client side or you might as well parse KirbyText on the backend. However stripping HTML may not mitigate all attacks (like XSS in a link tag).
My recommendation is to only load resources from trusted sources anyway, then you won‘t need all that complex and potentially still not 100 % secure client logic.