[Docs] String Literals Behavior (#2734)

* add note for string literals in docs * Apply suggestion from review Co-authored-by: Muhammad Hamza <muhammadhamza1311@gmail.com>
yewstack · Jun 19, 2022 · acecfab · acecfab
1 parent f27bea9
commit acecfab
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/website/docs/concepts/html/literals-and-expressions.mdx b/website/docs/concepts/html/literals-and-expressions.mdx
@@ -5,6 +5,9 @@ title: 'Literals and Expressions'
 ## Literals
 
 If expressions resolve to types that implement `Display`, they will be converted to strings and inserted into the DOM as a [Text](https://developer.mozilla.org/en-US/docs/Web/API/Text) node.
+:::note
+String literals create `Text` nodes, which are treated as strings by the browser. Hence, even if the expression contains a `<script>` tag you can't fall for XSS and such security issues, unless of course you wrap the expression in a `<script>` block.
+:::
 
 All display text must be enclosed by `{}` blocks because text is handled as an expression. This is
 the largest deviation from normal HTML syntax that Yew makes.