Svelte version 1.0.3 represents a minor update within the early stages of this "magical disappearing UI framework's" development. Comparing it to the immediately preceding version, 1.0.2, reveals crucial insights into the project's evolution. The core description remains consistent: Svelte is presented as a UI framework that aims to make itself "disappear," alluding to its core philosophy of compiling components down to highly optimized vanilla JavaScript at build time, resulting to faster performance and a smaller bundle size for the end-user.
The devDependencies section, vital for contributors and developers involved in building or extending Svelte, remains entirely identical across both versions. This indicates that the underlying tooling, build processes, testing frameworks (nyc, mocha, jsdom) and linting rules (eslint) have not undergone any changes between these releases. The consistent dependencies on tools like Rollup for bundling, acorn for parsing, and magic-string for source code manipulation suggest stability in the development workflow.
The key difference appears in the releaseDate. Version 1.0.3 was released on November 30, 2016, hours after version 1.0.2. This would appear as a quick follow-up to address a minor issue or bug fix, rather than introducing substantial new features or API changes to the library itself. For developers using Svelte, this information indicates that the update from 1.0.2 to 1.0.3 is most likely a bugfix release, prioritizing stability, rather than the need to adapt to new APIs or functionalities. This release represents a commitment to iterative improvement and addressing potential issues rapidly, vital for early adopters.
All the vulnerabilities related to the version 1.0.3 of the package
Svelte vulnerable to XSS when using objects during server-side rendering
The package svelte before 3.49.0 is vulnerable to Cross-site Scripting (XSS) due to improper input sanitization and to improper escape of attributes when using objects during SSR (Server-Side Rendering). Exploiting this vulnerability is possible via objects with a custom toString() function.
Svelte has a potential mXSS vulnerability due to improper HTML escaping
A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19.
Svelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules:
" -> "& -> &< -> <& -> &The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks. More specifically, this can occur when injecting malicious content into an attribute within a <noscript> tag.
A vulnerable page (+page.svelte):
<script>
import { page } from "$app/stores"
// user input
let href = $page.url.searchParams.get("href") ?? "https://example.com";
</script>
<noscript>
<a href={href}>test</a>
</noscript>
If a user accesses the following URL,
http://localhost:4173/?href=</noscript><script>alert(123)</script>
then, alert(123) will be executed.
XSS, when using an attribute within a noscript tag