From 1df741a374cb36e1f09cde9a1d13281a45cbea7e Mon Sep 17 00:00:00 2001
From: Lode Claassen <lode@alsvanzelf.nl>
Date: Thu, 2 May 2019 21:49:42 +0200
Subject: [PATCH 1/2] clarify when sanitization is done and when not

---
 site/content/tutorial/01-introduction/06-html-tags/text.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/site/content/tutorial/01-introduction/06-html-tags/text.md b/site/content/tutorial/01-introduction/06-html-tags/text.md
index fdc8a576ff..cf5032fea4 100644
--- a/site/content/tutorial/01-introduction/06-html-tags/text.md
+++ b/site/content/tutorial/01-introduction/06-html-tags/text.md
@@ -12,4 +12,4 @@ In Svelte, you do this with the special `{@html ...}` tag:
 <p>{@html string}</p>
 ```
 
-> Svelte doesn't perform any sanitization of the data before it gets inserted into the DOM. In other words, it's critical that you manually escape HTML that comes from sources you don't trust, otherwise you risk exposing your users to XSS attacks.
\ No newline at end of file
+> Svelte doesn't perform any sanitization of the data before it gets inserted into the DOM via a @html-tag. In other words, if you use `{@html ...}` it's critical that you manually escape HTML that comes from sources you don't trust, otherwise you risk exposing your users to XSS attacks.

From 7bf207f825ca3e7384dd8206a7a5e3fdaacc4fea Mon Sep 17 00:00:00 2001
From: Rich Harris <richard.a.harris@gmail.com>
Date: Fri, 3 May 2019 23:24:00 -0400
Subject: [PATCH 2/2] Update text.md

---
 site/content/tutorial/01-introduction/06-html-tags/text.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/site/content/tutorial/01-introduction/06-html-tags/text.md b/site/content/tutorial/01-introduction/06-html-tags/text.md
index cf5032fea4..ff547247e2 100644
--- a/site/content/tutorial/01-introduction/06-html-tags/text.md
+++ b/site/content/tutorial/01-introduction/06-html-tags/text.md
@@ -12,4 +12,4 @@ In Svelte, you do this with the special `{@html ...}` tag:
 <p>{@html string}</p>
 ```
 
-> Svelte doesn't perform any sanitization of the data before it gets inserted into the DOM via a @html-tag. In other words, if you use `{@html ...}` it's critical that you manually escape HTML that comes from sources you don't trust, otherwise you risk exposing your users to XSS attacks.
+> Svelte doesn't perform any sanitization of the expression inside `{@html ...}` before it gets inserted into the DOM. In other words, if you use this feature it's critical that you manually escape HTML that comes from sources you don't trust, otherwise you risk exposing your users to XSS attacks.