Will It Vibe logoWill It Vibe?
SVELTE-001High severity-15 points

{@html} renders a dynamic value

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.

What it detects

{@html expr} injects a raw HTML string into the DOM and bypasses Svelte auto-escaping, so any variable or interpolated value there is a stored or reflected XSS sink. A pure string literal is not flagged.

Why it matters

Svelte escapes text in templates by default, but {@html expr} takes the opposite path and writes the string into the DOM as live HTML. If any part of that value comes from a user, an API, or the URL, an attacker can inject a script that runs as your user and steals sessions or defaces the page. Values that look safe today tend to pick up user data as the component grows.

How to fix it

Render the value as normal text ({value}) so Svelte escapes it, which covers the large majority of cases. When you genuinely need to render HTML from user input, sanitize it first with a maintained library such as DOMPurify and render the sanitized result. Keep {@html} only for HTML you fully control, and never feed it request data, query strings, or stored user content unfiltered.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks