Goal
Write down the current rendering assumption: example content is trusted local content, not arbitrary remote user input.
Current behavior
The renderer uses simple HTML string rendering for item, enemy, equipment, and inventory UI. That keeps the starter readable, but future example packs should understand the trust boundary.
Proposed work
- Add a short note to the docs about trusted example content.
- Clarify that bundled example files are expected to be reviewed source files.
- Explain that third-party or remote content would need safer rendering or sanitization before being supported.
- Do not rewrite the renderer in this issue.
Acceptance checks
- Docs mention the trusted-content assumption.
- Future contributors know not to treat arbitrary remote content as safe input.
- Existing smoke tests still pass.
- No runtime behavior changes are included.
Guardrails
This is a documentation issue only. Keep the current small-engine rendering style intact unless a separate implementation issue is opened.
Goal
Write down the current rendering assumption: example content is trusted local content, not arbitrary remote user input.
Current behavior
The renderer uses simple HTML string rendering for item, enemy, equipment, and inventory UI. That keeps the starter readable, but future example packs should understand the trust boundary.
Proposed work
Acceptance checks
Guardrails
This is a documentation issue only. Keep the current small-engine rendering style intact unless a separate implementation issue is opened.