Svelte version 1.2.1 represents a minor, yet crucial update to the preceding 1.2.0 release of this "magical disappearing UI framework". Primarily, developers will find that the core functionality and API remain consistent between the two versions. The core promise of Svelte, to compile components into highly efficient vanilla JavaScript during build time, thereby minimizing runtime overhead, continues to be the focal point in both versions.
A detailed examination reveals both versions share identical dependencies, including "magic-string" for source code manipulation. Examining the "devDependencies" section, the versions are identical, which implies that the tooling for development, testing, and building the library didn't change between the releases, ensuring a stable development workflow. This includes familiar tools like "rollup" for bundling, "eslint" for linting, and "mocha" for testing.
The key differentiation lies in the internal fixes that prompted the 1.2.1 release. While specific details of these fixes aren't explicitly outlined in the provided metadata, the rapid release (approximately one day after 1.2.0) suggests they addressed a notable bug or optimization from the previous version. Considering this, the major benefit for developers is stability and improved reliability. Upgrading to 1.2.1 should be considered, offering a more polished rendition of the framework without introducing any breaking changes. Always refers to the official Svelte changelog or release notes for complete details of the applied fixes. The unchanged nature of development dependencies means the upgrade process should be painless for existing projects.
All the vulnerabilities related to the version 1.2.1 of the package
Svelte vulnerable to XSS when using objects during server-side rendering
The package svelte before 3.49.0 is vulnerable to Cross-site Scripting (XSS) due to improper input sanitization and to improper escape of attributes when using objects during SSR (Server-Side Rendering). Exploiting this vulnerability is possible via objects with a custom toString() function.
Svelte has a potential mXSS vulnerability due to improper HTML escaping
A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19.
Svelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules:
" -> "& -> &< -> <& -> &The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks. More specifically, this can occur when injecting malicious content into an attribute within a <noscript> tag.
A vulnerable page (+page.svelte):
<script>
import { page } from "$app/stores"
// user input
let href = $page.url.searchParams.get("href") ?? "https://example.com";
</script>
<noscript>
<a href={href}>test</a>
</noscript>
If a user accesses the following URL,
http://localhost:4173/?href=</noscript><script>alert(123)</script>
then, alert(123) will be executed.
XSS, when using an attribute within a noscript tag