What are you trying to achieve? The XSS Sanitize is being used to remove HTML tags from a string value. This is for example used when you have a string value including HTML tags and you want to get rid of the HTML tags by adding the defined policies.
As stated on the docs:
XSSSanitize – This removes all the potentially dangerous HTML from a string so that it can be safely displayed in a browser. This function should be applied to all HTML, which is displayed in the browser and can be entered by (untrusted) users.
You want to do this f.e. when there is a rich text editor field and you want to have the core value without the rich text.
If you just want to adjust the html code of the login.html file you can do that in your app explorer folder.