Merge pull request #3481 from dkondrad/gh-3456

site: docs: {@html} clarifications
pull/3529/head
Rich Harris 5 years ago committed by GitHub
commit 409abd6c5d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

@ -318,7 +318,9 @@ If you don't care about the pending state, you can also omit the initial block.
---
In a text expression, characters like `<` and `>` are escaped. With HTML expressions, they're not.
In a text expression, characters like `<` and `>` are escaped; however, with HTML expressions, they're not.
The expression should be valid standalone HTML — `{@html "<div>"}content{@html "</div>"}` will *not* work, because `</div>` is not valid HTML.
> Svelte does not sanitize expressions before injecting HTML. If the data comes from an untrusted source, you must sanitize it, or you are exposing your users to an XSS vulnerability.

Loading…
Cancel
Save