Ordinarily, strings are inserted as plain text, meaning that characters like <
and >
have no special meaning.
But sometimes you need to render HTML directly into a component. For example, the words you're reading right now exist in a markdown file that gets included on this page as a blob of HTML.
In Svelte, you do this with the special {@html ...}
tag:
<p>{@html string}</p>
Warning! Svelte doesn't perform any sanitization of the expression inside
{@html ...}
before it gets inserted into the DOM. This isn't an issue if the content is something you trust like an article you wrote yourself. However if it's some untrusted user content, e.g. a comment on an article, then it's critical that you manually escape it, otherwise you risk exposing your users to Cross-Site Scripting (XSS) attacks.