Add details to unsafeHTML docs (#1353)

* Add details to unsafeHTML docs * Update packages/lit-dev-content/site/docs/v3/templates/directives.md Co-authored-by: Augustine Kim <[email protected]> --------- Co-authored-by: Augustine Kim <[email protected]>
lit · Jul 19, 2024 · b4e94a7 · b4e94a7
1 parent bafbf70
commit b4e94a7
Showing 1 changed file with 8 additions and 2 deletions.
diff --git a/packages/lit-dev-content/site/docs/v3/templates/directives.md b/packages/lit-dev-content/site/docs/v3/templates/directives.md
@@ -1448,8 +1448,14 @@ parse such a string as HTML and render it in a Lit template.
 
 Note, the string passed to `unsafeHTML` must be developer-controlled and not
 include untrusted content. Examples of untrusted content include query string
-parameters and values from user inputs. Untrusted content rendered with this
-directive could lead to [cross-site scripting (XSS)](https://en.wikipedia.org/wiki/Cross-site_scripting) vulnerabilities.
+parameters and values from user inputs.
+
+Untrusted content rendered with this directive could lead to [cross-site
+scripting (XSS)](https://en.wikipedia.org/wiki/Cross-site_scripting), CSS
+injection, data exfiltration, etc. vulnerabilities. `unsafeHTML` uses
+`innerHTML` to parse the HTML string, so the security implications are the same
+ as `innerHTML`, [as documented on
+MDN](https://developer.mozilla.org/en-US/docs/Web/API/Element/innerHTML#security_considerations).
 
 </div>