Concerns about textarea @html example

[SpeedyCraftah]

Please describe the example enhancement I'm sure this isn't the only example on svelte.dev that has this, but this example which happens to be one of the first results when searching for "textarea svelte":

<script>
    import { marked } from 'marked';
    let text = `Some words are *italic*, some are **bold**`;
</script>

<textarea bind:value={text} />

{@html marked(text)}

This shows an example for enabling markdown using marked, but this of course disables text sanitization and opens up an extremely easy XSS attack, and while it is the developer's responsibility at the end of the day, it would be helpful to provide a small warning, perhaps as a comment, or even modify the example to sanitize text, as some developers are not aware of XSS attacks and the significance of disabling such protections for text. It's not too easy to sanitize it either as you would likely have to import some HTML sanitization library, sanitize text, then pass it on to marked so the actual markdown HTML does not get sanitized, and eventually @html, which I would imagine would end up causing negligence on the developer's side and end up ignoring the blaring security flaw.

I'm not sure if this kind of feedback is accepted, and yes the example is local although I would imagine a lot of developers would adapt this code into their own apps for remote user-specified content, but I'd like to leave it anyways.

• [x] the example stays focused on a specific use case or technology
• [x] the example stays self-contained and easy to grasp
• [x] the example stays stable and does not require much maintenance

[Prinzhorn]

See https://github.com/sveltejs/svelte/issues/7253 and my weirdly popular comment https://github.com/sveltejs/svelte/issues/7253#issuecomment-1048097797