Svelte version 1.6.9 represents a minor update to the magical disappearing UI framework, arriving shortly after version 1.6.8. Both versions share the same core description, highlighting Svelte's unique approach to building web applications. Developers familiar with Svelte know it shifts the workload from the browser to the compile step, resulting in highly performant and efficient JavaScript.
The dependency list sees the introduction of "css-tree":"^1.0.0-alpha16" as the only difference. Both versions rely on "magic-string" for core functionality and share a suite of development dependencies, including tools for bundling (Rollup), testing (Mocha, jsdom, nyc, codecov), linting (eslint), and transpilation (babel). The consistent use of these tools indicates a stable and well-maintained development environment for Svelte.
For developers considering an upgrade from 1.6.8 to 1.6.9, the addition of "css-tree":"^1.0.0-alpha16" could be a key point, but if the developer does not use css they probably should not consider the update. Svelte's commitment to performance and its focus on compile-time optimization continue to be central to its appeal. The MIT license and clear author attribution (Rich Harris) further contribute to the package's trustworthiness. Reviewing the commit logs and release notes associated with these versions on the Svelte GitHub repository is always recommend for a complete understanding of the changes and potential implications of upgrading.
All the vulnerabilities related to the version 1.6.9 of the package
Svelte vulnerable to XSS when using objects during server-side rendering
The package svelte before 3.49.0 is vulnerable to Cross-site Scripting (XSS) due to improper input sanitization and to improper escape of attributes when using objects during SSR (Server-Side Rendering). Exploiting this vulnerability is possible via objects with a custom toString() function.
Svelte has a potential mXSS vulnerability due to improper HTML escaping
A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19.
Svelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules:
" -> "& -> &< -> <& -> &The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks. More specifically, this can occur when injecting malicious content into an attribute within a <noscript> tag.
A vulnerable page (+page.svelte):
<script>
import { page } from "$app/stores"
// user input
let href = $page.url.searchParams.get("href") ?? "https://example.com";
</script>
<noscript>
<a href={href}>test</a>
</noscript>
If a user accesses the following URL,
http://localhost:4173/?href=</noscript><script>alert(123)</script>
then, alert(123) will be executed.
XSS, when using an attribute within a noscript tag