Svelte version 2.13.3 is a minor update to the magical disappearing UI framework, building upon the foundation laid by version 2.13.2. Both versions share the same core description, highlighting Svelte's unique approach to web development by shifting the workload from the browser to the compile time, resulting in highly performant and efficient applications. Key benefits for developers remain consistent between the versions, offering a streamlined development experience through its component-based architecture and reactive programming model.
Looking at the devDependencies, both versions feature the same toolset needed for development, testing and building Svelte applications. This includes essential tools like rollup for bundling, typescript for type checking, eslint for linting, and mocha for testing. The consistent tooling ensures a predictable development experience during upgrades.
However, a notable difference lies in the dist section. Version 2.13.3 has a fileCount of 15 and an unpackedSize of 1034016 bytes, while version 2.13.2 has a fileCount of 12 and an unpackedSize of 1015648 bytes. This difference suggests that version 2.13.3 includes some additional files or optimizations compared to its predecessor. These could be new features, bug fixes, or improvements to the compiler or runtime. The release date indicates that version 2.13.3 was released about a week after 2.13.2, suggesting a quick follow-up to address identified issues or include enhancements. For developers already using Svelte 2, upgrading to 2.13.3 is likely a worthwhile step to benefit from these potential improvements.
All the vulnerabilities related to the version 2.13.3 of the package
Svelte vulnerable to XSS when using objects during server-side rendering
The package svelte before 3.49.0 is vulnerable to Cross-site Scripting (XSS) due to improper input sanitization and to improper escape of attributes when using objects during SSR (Server-Side Rendering). Exploiting this vulnerability is possible via objects with a custom toString() function.
Svelte has a potential mXSS vulnerability due to improper HTML escaping
A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19.
Svelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules:
" -> "& -> &< -> <& -> &The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks. More specifically, this can occur when injecting malicious content into an attribute within a <noscript> tag.
A vulnerable page (+page.svelte):
<script>
import { page } from "$app/stores"
// user input
let href = $page.url.searchParams.get("href") ?? "https://example.com";
</script>
<noscript>
<a href={href}>test</a>
</noscript>
If a user accesses the following URL,
http://localhost:4173/?href=</noscript><script>alert(123)</script>
then, alert(123) will be executed.
XSS, when using an attribute within a noscript tag