Custom scripts and css added at page or project level do not render in preview mode but only in the live app.
A custom script in an html element will be executed.
Dynamic values you put inside the html element may expose you to XSS attacks because it updates the element innerHTML directly. See this example.
Also the code inside script tags in the html element is executed using eval.
Custom elements avoid this kind of problem, that’s because it’s the best practice.
Be mindful of the security concerns and choose what you want to use.
