Svelte 1.14.0, released on April 11, 2017, builds upon the foundation laid by version 1.13.7, released a day earlier. Both versions share the same core philosophy: providing a "magical disappearing UI framework" aimed at creating highly performant web applications. Svelte achieves this by shifting the workload from the browser to the compilation step, resulting in smaller, faster JavaScript bundles.
Examining the devDependencies, it appears the development environment remained largely consistent between the two versions. Key tools like rollup for bundling, babel for transpilation, eslint for linting, and mocha for testing are all present with similar versions. This indicates a stable development process and a focus on incremental improvements rather than radical changes. While a detailed changelog would offer more specific insights, the similarity in development dependencies suggests that developers upgrading from 1.13.7 to 1.14.0 would likely experience a smooth transition.
The consistent use of tools like css-tree, magic-string, and estree-walker points to Svelte's commitment to working directly with the structure and manipulation of code, allowing for fine-grained control over the compilation process. For developers, this translates to a framework that's deeply customizable and capable of producing optimized output. The focus on ES2015 transformations via Babel plugins also ensures compatibility with a wide range of browsers. The bump in version number suggests bug fixes, performance tweaks, and potentially minor feature additions, all contributing to a more polished and reliable development experience. Developers should consult the official Svelte changelog for the precise details of the update.
All the vulnerabilities related to the version 1.14.0 of the package
Svelte vulnerable to XSS when using objects during server-side rendering
The package svelte before 3.49.0 is vulnerable to Cross-site Scripting (XSS) due to improper input sanitization and to improper escape of attributes when using objects during SSR (Server-Side Rendering). Exploiting this vulnerability is possible via objects with a custom toString() function.
Svelte has a potential mXSS vulnerability due to improper HTML escaping
A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19.
Svelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules:
" -> "& -> &< -> <& -> &The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks. More specifically, this can occur when injecting malicious content into an attribute within a <noscript> tag.
A vulnerable page (+page.svelte):
<script>
import { page } from "$app/stores"
// user input
let href = $page.url.searchParams.get("href") ?? "https://example.com";
</script>
<noscript>
<a href={href}>test</a>
</noscript>
If a user accesses the following URL,
http://localhost:4173/?href=</noscript><script>alert(123)</script>
then, alert(123) will be executed.
XSS, when using an attribute within a noscript tag