From 8e037027a1d51a6bedcabb3826fe74da4b3d9fd3 Mon Sep 17 00:00:00 2001
From: David A Kondrad <david.a.kondrad@jci.com>
Date: Fri, 30 Aug 2019 14:53:08 -0400
Subject: [PATCH 1/2] site: docs: {@html} clarifications

This commit clarifies that `{@html}` directives cannot be used to surround markup with additional tags.
Also corrected the grammar in the descriptive text to remove dangling fragment.

Fixes #3456
---
 site/content/docs/02-template-syntax.md | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/site/content/docs/02-template-syntax.md b/site/content/docs/02-template-syntax.md
index 600634ab11..d9b1345fec 100644
--- a/site/content/docs/02-template-syntax.md
+++ b/site/content/docs/02-template-syntax.md
@@ -318,10 +318,12 @@ If you don't care about the pending state, you can also omit the initial block.
 
 ---
 
-In a text expression, characters like `<` and `>` are escaped. With HTML expressions, they're not.
+In a text expression, characters like `<` and `>` are escaped; however, with HTML expressions, they're not.
 
 > Svelte does not sanitize expressions before injecting HTML. If the data comes from an untrusted source, you must sanitize it, or you are exposing your users to an XSS vulnerability.
 
+> Due to the limitations of the DOM APIs available to insert raw HTML fragments, this directive cannot be used to surround content with additional markup.
+
 ```html
 <div class="blog-post">
 	<h1>{post.title}</h1>

From 2afc19e1a748d66c932ddcddeaa58e44cf4448e2 Mon Sep 17 00:00:00 2001
From: Rich Harris <richard.a.harris@gmail.com>
Date: Sat, 7 Sep 2019 14:58:58 -0400
Subject: [PATCH 2/2] tweak explanation

---
 site/content/docs/02-template-syntax.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/site/content/docs/02-template-syntax.md b/site/content/docs/02-template-syntax.md
index d9b1345fec..b878f1453e 100644
--- a/site/content/docs/02-template-syntax.md
+++ b/site/content/docs/02-template-syntax.md
@@ -320,9 +320,9 @@ If you don't care about the pending state, you can also omit the initial block.
 
 In a text expression, characters like `<` and `>` are escaped; however, with HTML expressions, they're not.
 
-> Svelte does not sanitize expressions before injecting HTML. If the data comes from an untrusted source, you must sanitize it, or you are exposing your users to an XSS vulnerability.
+The expression should be valid standalone HTML — `{@html "<div>"}content{@html "</div>"}` will *not* work, because `</div>` is not valid HTML.
 
-> Due to the limitations of the DOM APIs available to insert raw HTML fragments, this directive cannot be used to surround content with additional markup.
+> Svelte does not sanitize expressions before injecting HTML. If the data comes from an untrusted source, you must sanitize it, or you are exposing your users to an XSS vulnerability.
 
 ```html
 <div class="blog-post">