Skip to content

Commit

Permalink
Merge pull request #2657 from lode/patch-1
Browse files Browse the repository at this point in the history 
Clarify when sanitization is done and when not
  • Loading branch information
@Rich-Harris
Rich-Harris committed May 4, 2019
2 parents 97d3999 + 7bf207f commit 0f07acc
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion site/content/tutorial/01-introduction/06-html-tags/text.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,4 +12,4 @@ In Svelte, you do this with the special `{@html ...}` tag:
<p>{@html string}</p>
```

> Svelte doesn't perform any sanitization of the data before it gets inserted into the DOM. In other words, it's critical that you manually escape HTML that comes from sources you don't trust, otherwise you risk exposing your users to XSS attacks.
> Svelte doesn't perform any sanitization of the expression inside `{@html ...}` before it gets inserted into the DOM. In other words, if you use this feature it's critical that you manually escape HTML that comes from sources you don't trust, otherwise you risk exposing your users to XSS attacks.

0 comments on commit 0f07acc

Please sign in to comment.