msb-public
/
svelte
mirror of https://github.com/sveltejs/svelte
1
0
Code Issues Projects Releases Wiki Activity

Merge pull request #3481 from dkondrad/gh-3456

Browse Source 
site: docs: {@html} clarifications
pull/3529/head
Rich Harris 5 years ago committed by GitHub
parent 9120f5ad78 5346b378e3
commit 409abd6c5d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File

4
site/content/docs/02-template-syntax.md
Unescape View File

@ -318,7 +318,9 @@ If you don't care about the pending state, you can also omit the initial block.
---
In a text expression, characters like `<` and `>` are escaped. With HTML expressions, they're not.
In a text expression, characters like `<` and `>` are escaped; however, with HTML expressions, they're not.
The expression should be valid standalone HTML — `{@html "<div>"}content{@html "</div>"}` will *not* work, because `</div>` is not valid HTML.
> Svelte does not sanitize expressions before injecting HTML. If the data comes from an untrusted source, you must sanitize it, or you are exposing your users to an XSS vulnerability.

Write Preview
Loading…
Cancel
Save