msb-public
/
svelte
mirror of https://github.com/sveltejs/svelte
1
0
Code Issues Projects Releases Wiki Activity

site: docs: {@html} clarifications

Browse Source 
This commit clarifies that `{@html}` directives cannot be used to surround markup with additional tags.
Also corrected the grammar in the descriptive text to remove dangling fragment.

Fixes #3456
pull/3481/head
David A Kondrad 5 years ago
parent cc107147ec
commit 6e9ac1971c
1 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File

4
site/content/docs/02-template-syntax.md
Unescape View File

@ -318,10 +318,12 @@ If you don't care about the pending state, you can also omit the initial block.
--- ---
In a text expression, characters like `<` and `>` are escaped. With HTML expressions, they're not. In a text expression, characters like `<` and `>` are escaped; however, with HTML expressions, they're not.
> Svelte does not sanitize expressions before injecting HTML. If the data comes from an untrusted source, you must sanitize it, or you are exposing your users to an XSS vulnerability. > Svelte does not sanitize expressions before injecting HTML. If the data comes from an untrusted source, you must sanitize it, or you are exposing your users to an XSS vulnerability.
> Due to the limitations of the DOM APIs available to insert raw HTML fragments, this directive cannot be used to surround content with additional markup.
```html ```html
<div class="blog-post"> <div class="blog-post">
<h1>{post.title}</h1> <h1>{post.title}</h1>

Write Preview
Loading…
Cancel
Save