Svelte version 2.11.0 refines the magical disappearing UI framework building upon the foundation laid by version 2.10.1. Both versions share a core set of development dependencies, ensuring a consistent development experience. Key tools like Rollup, TypeScript, and ESLint remain in place, providing developers with familiar mechanisms for bundling, type checking, and linting their Svelte applications. Developers will continue to leverage existing build processes without interruption.
The subtle enhancements in 2.11.0 improve stability and developer workflows. Under the hood, both versions utilize a robust stack of developer tools, including testing frameworks like Mocha and code coverage tools like nyc. Performance improvements (indicated by the slightly increased unpacked size in 2.11.0, hinting at possible code optimizations or the inclusion of additional features) are likely to enhance responsiveness. The difference of 504 bytes of unpacked size may represent the inclusion of extra functionality or tweaks to existing code, this should equate to minor improvements and bug fixes for Svelte applications. Anyone using Svelte will appreciate incremental quality improvements reflected in version 2.11.0. The updated release date reflects the project's ongoing commitment to refinement. Upgrading ensures developers are working with the most polished version of the framework.
All the vulnerabilities related to the version 2.11.0 of the package
Svelte vulnerable to XSS when using objects during server-side rendering
The package svelte before 3.49.0 is vulnerable to Cross-site Scripting (XSS) due to improper input sanitization and to improper escape of attributes when using objects during SSR (Server-Side Rendering). Exploiting this vulnerability is possible via objects with a custom toString() function.
Svelte has a potential mXSS vulnerability due to improper HTML escaping
A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19.
Svelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules:
" -> "& -> &< -> <& -> &The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks. More specifically, this can occur when injecting malicious content into an attribute within a <noscript> tag.
A vulnerable page (+page.svelte):
<script>
import { page } from "$app/stores"
// user input
let href = $page.url.searchParams.get("href") ?? "https://example.com";
</script>
<noscript>
<a href={href}>test</a>
</noscript>
If a user accesses the following URL,
http://localhost:4173/?href=</noscript><script>alert(123)</script>
then, alert(123) will be executed.
XSS, when using an attribute within a noscript tag