From 2afc19e1a748d66c932ddcddeaa58e44cf4448e2 Mon Sep 17 00:00:00 2001
From: Rich Harris <richard.a.harris@gmail.com>
Date: Sat, 7 Sep 2019 14:58:58 -0400
Subject: [PATCH] tweak explanation

---
 site/content/docs/02-template-syntax.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/site/content/docs/02-template-syntax.md b/site/content/docs/02-template-syntax.md
index d9b1345fec..b878f1453e 100644
--- a/site/content/docs/02-template-syntax.md
+++ b/site/content/docs/02-template-syntax.md
@@ -320,9 +320,9 @@ If you don't care about the pending state, you can also omit the initial block.
 
 In a text expression, characters like `<` and `>` are escaped; however, with HTML expressions, they're not.
 
-> Svelte does not sanitize expressions before injecting HTML. If the data comes from an untrusted source, you must sanitize it, or you are exposing your users to an XSS vulnerability.
+The expression should be valid standalone HTML — `{@html "<div>"}content{@html "</div>"}` will *not* work, because `</div>` is not valid HTML.
 
-> Due to the limitations of the DOM APIs available to insert raw HTML fragments, this directive cannot be used to surround content with additional markup.
+> Svelte does not sanitize expressions before injecting HTML. If the data comes from an untrusted source, you must sanitize it, or you are exposing your users to an XSS vulnerability.
 
 ```html
 <div class="blog-post">