Rendering un-sanitised html via @html is a potential xss (cross site scripting) vulnerability if that html is provided by a user. Consider removing support of html toast messages in favour of svelte component toast messages.
Warning! Svelte doesn't perform any sanitization of the expression inside {@html ...} before it gets inserted into the DOM. This isn't an issue if the content is something you trust like an article you wrote yourself. However if it's some untrusted user content, e.g. a comment on an article, then it's critical that you manually escape it, otherwise you risk exposing your users to Cross-Site Scripting (XSS) attacks.
-- https://learn.svelte.dev/tutorial/html-tags
zerodevx
commented
1 year ago
Rendering un-sanitised html via
@htmlis a potential xss (cross site scripting) vulnerability if that html is provided by a user. Consider removing support of html toast messages in favour of svelte component toast messages.