[Security] When is {@html ...} used?

[elimisteve]

From the README:

Just like with React Markdown, this package doesn't use {@html ...} unless you need to render HTML.

What does this mean? Obviously the whole point is rendering Markdown source to HTML, so does that mean that {@html ...} is often used, and therefore we must sanitize user input some other way?

Thanks!

[pablo-abc]

The only moment {@html ...} is used is when your markdown contains HTML. This package turns markdown into components (which eventually will be turned into HTML by Svelte).

---

There's a slight issue due to how @html works on Svelte. A paragraph needs to be either markdown or HTML. You can't mix both. For example this works:

This is a **markdown** paragraph

<p>This is an <strong>HTML</strong> paragraph</p>

In this case the second paragraph will be rendered using {@html ...}. The first paragraph won't.

This does not work:

This <em>will</em> not _work_.

[ZerdoX-x]

If you are consirned about {@html ...} you can remove it from the whole svelte-markdown manually by including custom html renderer:

<script>
  export let text;
</script>

{text}

This will remove unwanted behaivour "if html, render it".