Svelte is a UI framework known for its "disappearing" nature, meaning it shifts the bulk of its work to compile time, resulting in highly performant JavaScript code and a smaller bundle size for your web applications. Version 1.23.3 builds upon the foundation of 1.23.2, offering subtle improvements and refinements.
While the core functionalities remain consistent, developers upgrading from 1.23.2 to 1.23.3 can expect potential bug fixes and minor performance enhancements. Examining the devDependencies reveals an extensive toolchain utilized for development and testing, including tools like rollup for bundling, eslint for linting, and mocha for testing. These tools ensure code quality, consistency, and reliability. Both versions use the same set of devDependencies, suggesting that the core development process and tooling didn't change between these releases.
The key difference lies in the release date; version 1.23.3 was released shortly after 1.23.2, indicating that the new version contained some urgent fixes or improvements. Therefore, it is recommended to use the newest version. Svelte aims to provide a reactive and component-based approach to building user interfaces, offering developers a streamlined experience with efficient output. When deciding on a Svelte version for a specific project, always check the official Svelte project website for the newest stable version and its documentation.
All the vulnerabilities related to the version 1.23.3 of the package
Svelte vulnerable to XSS when using objects during server-side rendering
The package svelte before 3.49.0 is vulnerable to Cross-site Scripting (XSS) due to improper input sanitization and to improper escape of attributes when using objects during SSR (Server-Side Rendering). Exploiting this vulnerability is possible via objects with a custom toString() function.
Svelte has a potential mXSS vulnerability due to improper HTML escaping
A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19.
Svelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules:
" -> "& -> &< -> <& -> &The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks. More specifically, this can occur when injecting malicious content into an attribute within a <noscript> tag.
A vulnerable page (+page.svelte):
<script>
import { page } from "$app/stores"
// user input
let href = $page.url.searchParams.get("href") ?? "https://example.com";
</script>
<noscript>
<a href={href}>test</a>
</noscript>
If a user accesses the following URL,
http://localhost:4173/?href=</noscript><script>alert(123)</script>
then, alert(123) will be executed.
XSS, when using an attribute within a noscript tag