In Svelte, the @html directive allows you to render raw HTML strings directly into the DOM. This can be useful when you want to display HTML content that comes from a dynamic source, such as user input, CMS content, or API responses.
The content inside @html is inserted as raw HTML, not escaped, so it will render tags and formatting correctly.
Using @html with untrusted content can introduce cross-site scripting (XSS) vulnerabilities, since any scripts included in the HTML string will execute. Always sanitize content from external sources before rendering it with @html.
Use
@htmlonly for trusted or sanitized HTML content.Avoid using it for direct user input without sanitization.
It is useful for CMS content, formatted text, or third-party HTML snippets.
For dynamic text without HTML, use standard curly braces (
{}) to avoid XSS risks.