In the embedded editor, when using the HTML block, a user is able to run scripts by writing code like <img src="x" onerror="alert(1)"> which immediately ran when the canvas displaying the email rerendered to reflect the changes. If a script tag was written - it would run only if we were to click the 'Preview' button. This could potentially have dire consequences if arbitrary code would be allowed to run on a user's machine.

I've noticed that the issue doesn't exist when using the editor within the Unlayer user portal as it sanitizes any script tags, event handlers etc.

The embedded version of the editor however, does not do any sanitization.

Are there any plans to also apply this sanitization to the embedded version of the product?

All good, I found the config in the docs that resolves this: https://docs.unlayer.com/docs#configuration-options