The source isn't altered (I take the component HTML, parse it, build it into a DOM, and render it). The data from the API is compiled separately (where sanitization can happen if you have untrusted user data). The two are combined together during SSR by passing the sanitized data to the component.
Developer controlled code at the component-level is assumed trusted, however, there are three mechanisms for handling escaping/sanitizing on the server:
1. There are helpers built in to the API (you can conditionally enable sanitization depending on need) to handle sanitization and helper functions built-in to the server-side to do one-off escaping/sanitization for HTML.
2. Query params are sanitized automatically to prevent injection.
3. To prevent unescaped HTML in data from breaking renders, I base64 encode it before sending it to the browser.
This approach to escaping is by design as some use cases call for sanitization (they're rendering user-generated data) while others do not.
You're welcome to audit the source and see if I missed something or make suggestions on improvements.
