Skip to content

SEC001 · Raw HTML render

Severity: warning · Category: security

Flags every {@html …} in a component (static/CLI analysis of src/**/*.svelte).

{@html} renders its value as unescaped HTML. If the value can contain user input and is not sanitized, it is a cross-site-scripting (XSS) vector. Static analysis can’t prove sanitization, so each use is surfaced for review.

Sanitize before rendering, or render as text/markup instead:

<script>
import DOMPurify from 'dompurify';
let { html } = $props();
</script>
{@html DOMPurify.sanitize(html)}