Svelte is a UI framework known for its "magical disappearing" act, transforming code into highly efficient vanilla JavaScript during compilation. Versions 1.28.0 and 1.28.1, released on August 4th, 2017, showcase the rapid development cycle of Svelte. While seemingly minor, the jump from 1.28.0 to 1.28.1 represents potentially crucial bug fixes or performance enhancements. Both versions share identical development dependencies, including tools like Rollup for bundling, ESLint for code linting, and TypeScript for type checking, indicating a consistent development environment. Noticeable developer tools are also present like css-tree, estree-walker, and locate-character suggesting a robust parser to develop the tool. The core functionality and developer experience likely remain consistent, focusing on Svelte's component-based approach and reactive updates. The quick release of 1.28.1, just hours after 1.28.0, suggests the Svelte team actively addresses issues and iterates rapidly. Developers should consider upgrading to the latest patch version (1.28.1) to ensure they benefit from the most up-to-date stability improvements. This highlights the importance of staying current with Svelte's releases for a smoother development workflow. The small version difference, though, signals that no major breaking changes were introduced. Using either version likely yields a similar experience programming reactive web apps built on generated vanilla Javascript.
All the vulnerabilities related to the version 1.28.1 of the package
Svelte vulnerable to XSS when using objects during server-side rendering
The package svelte before 3.49.0 is vulnerable to Cross-site Scripting (XSS) due to improper input sanitization and to improper escape of attributes when using objects during SSR (Server-Side Rendering). Exploiting this vulnerability is possible via objects with a custom toString() function.
Svelte has a potential mXSS vulnerability due to improper HTML escaping
A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19.
Svelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules:
" -> "& -> &< -> <& -> &The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks. More specifically, this can occur when injecting malicious content into an attribute within a <noscript> tag.
A vulnerable page (+page.svelte):
<script>
import { page } from "$app/stores"
// user input
let href = $page.url.searchParams.get("href") ?? "https://example.com";
</script>
<noscript>
<a href={href}>test</a>
</noscript>
If a user accesses the following URL,
http://localhost:4173/?href=</noscript><script>alert(123)</script>
then, alert(123) will be executed.
XSS, when using an attribute within a noscript tag