Svelte 1.9.0 is a minor version update to the Svelte JavaScript framework, building upon the foundation laid by version 1.8.1. Both versions maintain the core philosophy of Svelte – a "magical disappearing UI framework" that shifts the workload from the browser to the compile time, resulting in highly efficient and performant web applications. Examining the provided data, the dependency declarations are identical between the two versions. Both rely on "magic-string" and share the same suite of development dependencies, including tools like Rollup for bundling, ESLint for code linting, and Mocha for testing. This suggests that the update from 1.8.1 to 1.9.0 doesn't introduce any breaking changes in terms of required external libraries or the developer toolchain. Developers comfortable with version 1.8.1 should find the transition to 1.9.0 seamless. The key difference lies in the release date, with version 1.9.0 being released shortly after 1.8.1. This implies the update likely contains bug fixes and minor internal improvements rather than new features or API adjustments. For developers, this means upgrading to 1.9.0 represents a low-risk way to potentially benefit from stability improvements and minor refinements without requiring significant code modifications or learning new concepts. Developers should consult the official Svelte changelog or release notes for a comprehensive list of specific changes included in the 1.9.0 release.
All the vulnerabilities related to the version 1.9.0 of the package
Svelte vulnerable to XSS when using objects during server-side rendering
The package svelte before 3.49.0 is vulnerable to Cross-site Scripting (XSS) due to improper input sanitization and to improper escape of attributes when using objects during SSR (Server-Side Rendering). Exploiting this vulnerability is possible via objects with a custom toString() function.
Svelte has a potential mXSS vulnerability due to improper HTML escaping
A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19.
Svelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules:
" -> "& -> &< -> <& -> &The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks. More specifically, this can occur when injecting malicious content into an attribute within a <noscript> tag.
A vulnerable page (+page.svelte):
<script>
import { page } from "$app/stores"
// user input
let href = $page.url.searchParams.get("href") ?? "https://example.com";
</script>
<noscript>
<a href={href}>test</a>
</noscript>
If a user accesses the following URL,
http://localhost:4173/?href=</noscript><script>alert(123)</script>
then, alert(123) will be executed.
XSS, when using an attribute within a noscript tag