Merge pull request #3481 from dkondrad/gh-3456

site: docs: {@html} clarifications
2024-12-01 17:30:59 +01:00 · 2019-09-07 14:59:08 -04:00 · 2019-09-07 14:59:08 -04:00 · 409abd6c5d
commit 409abd6c5d
parent 9120f5ad78 5346b378e3
1 changed files with 3 additions and 1 deletions
--- a/site/content/docs/02-template-syntax.md
+++ b/site/content/docs/02-template-syntax.md
@ -318,7 +318,9 @@ If you don't care about the pending state, you can also omit the initial block.

 ---

-In a text expression, characters like `<` and `>` are escaped. With HTML expressions, they're not.
+In a text expression, characters like `<` and `>` are escaped; however, with HTML expressions, they're not.
+
+The expression should be valid standalone HTML — `{@html "<div>"}content{@html "</div>"}` will *not* work, because `</div>` is not valid HTML.

 > Svelte does not sanitize expressions before injecting HTML. If the data comes from an untrusted source, you must sanitize it, or you are exposing your users to an XSS vulnerability.