clarify when sanitization is done and when not

pull/2657/head
Lode Claassen 6 years ago committed by GitHub
parent 85b1850b77
commit 1df741a374
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

@ -12,4 +12,4 @@ In Svelte, you do this with the special `{@html ...}` tag:
<p>{@html string}</p>
```
> Svelte doesn't perform any sanitization of the data before it gets inserted into the DOM. In other words, it's critical that you manually escape HTML that comes from sources you don't trust, otherwise you risk exposing your users to XSS attacks.
> Svelte doesn't perform any sanitization of the data before it gets inserted into the DOM via a @html-tag. In other words, if you use `{@html ...}` it's critical that you manually escape HTML that comes from sources you don't trust, otherwise you risk exposing your users to XSS attacks.

Loading…
Cancel
Save