Svelte is a UI framework that distinguishes itself with a "magical disappearing" act, compiling away into highly efficient vanilla JavaScript during the build process. Versions 1.1.3 and 1.1.2 share this core philosophy, offering developers a component-based approach to building web applications with reactive updates and a focus on performance.
Reviewing the package data, the primary distinction between versions 1.1.2 and 1.1.3 lies in their release dates. Version 1.1.3 was released on December 7th, 2016, roughly 10 hours after version 1.1.2 on December 6th, 2016. The development dependencies listed, which include tools like Rollup, ESLint, and Babel plugins for build processes and code quality, remain consistent across both versions. This suggests that the incremental update from 1.1.2 to 1.1.3 was likely a patch addressing minor bugs, performance tweaks, or documentation improvements rather than introducing significant new features or API changes. For developers, this implies a smooth transition between the two versions with minimal compatibility concerns. While the core functionality remains the same, opting for version 1.1.3 is advisable to benefit from the latest fixes and refinements, however small. Considering the rapid release following 1.1.2, it's a strong signal for a fix that the author wanted to release as soon as possible. Developers embarking on new Svelte projects or maintaining existing ones should ensure they are using the most up-to-date stable version, even when the changes appear minor.
All the vulnerabilities related to the version 1.1.3 of the package
Svelte vulnerable to XSS when using objects during server-side rendering
The package svelte before 3.49.0 is vulnerable to Cross-site Scripting (XSS) due to improper input sanitization and to improper escape of attributes when using objects during SSR (Server-Side Rendering). Exploiting this vulnerability is possible via objects with a custom toString() function.
Svelte has a potential mXSS vulnerability due to improper HTML escaping
A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19.
Svelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules:
" -> "& -> &< -> <& -> &The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks. More specifically, this can occur when injecting malicious content into an attribute within a <noscript> tag.
A vulnerable page (+page.svelte):
<script>
import { page } from "$app/stores"
// user input
let href = $page.url.searchParams.get("href") ?? "https://example.com";
</script>
<noscript>
<a href={href}>test</a>
</noscript>
If a user accesses the following URL,
http://localhost:4173/?href=</noscript><script>alert(123)</script>
then, alert(123) will be executed.
XSS, when using an attribute within a noscript tag