From e2a999c06ac01525a52ddfa30fa20cb7a8371a1f Mon Sep 17 00:00:00 2001
From: Olalekan Abdulfatah <53246916+olaleykhan@users.noreply.github.com>
Date: Fri, 7 Jun 2024 13:45:25 +0100
Subject: [PATCH] Update 04-special-tags.md (#11951)

turning the word "XSS Vulnerability" to a clickable link to take the reader to https://owasp.org/www-community/attacks/xss/ so that can read more about it if they don't as that is pretty important.
---
 documentation/docs/02-template-syntax/04-special-tags.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/documentation/docs/02-template-syntax/04-special-tags.md b/documentation/docs/02-template-syntax/04-special-tags.md
index 4145d8d6d6..a807a19e2d 100644
--- a/documentation/docs/02-template-syntax/04-special-tags.md
+++ b/documentation/docs/02-template-syntax/04-special-tags.md
@@ -13,7 +13,7 @@ In a text expression, characters like `<` and `>` are escaped; however, with HTM
 
 The expression should be valid standalone HTML — `{@html "<div>"}content{@html "</div>"}` will _not_ work, because `</div>` is not valid HTML. It also will _not_ compile Svelte code.
 
-> Svelte does not sanitize expressions before injecting HTML. If the data comes from an untrusted source, you must sanitize it, or you are exposing your users to an XSS vulnerability.
+> Svelte does not sanitize expressions before injecting HTML. If the data comes from an untrusted source, you must sanitize it, or you are exposing your users to an [XSS vulnerability](https://owasp.org/www-community/attacks/xss/)
 
 ```svelte
 <div class="blog-post">