Svelte version 2.13.5 is a minor release in the 2.x series of the "magical disappearing UI framework," building upon the previous stable version 2.13.4. Both versions share the same core description and license (MIT), underlining a commitment to open-source principles. The developer dependencies are nearly identical, suggesting the core build and testing processes remained consistent. These dependencies include essential tools like Rollup for bundling, TypeScript for type checking, ESLint for code quality, and Mocha for testing.
However, a key difference lies in the dist section. Version 2.13.5 boasts a significantly smaller unpacked size of 945074 bytes compared to version 2.13.4's 1015947 bytes. This implies optimizations and code reduction efforts were successful. Developers using the later version might benefit from faster download times, reduced storage requirements, and potentially improved runtime performance due to the smaller bundle size. The release date also signals an update, with version 2.13.5 released on 2018-09-19, roughly two weeks after version 2.13.4 (2018-09-06). This suggests a focus on addressing bugs or performance bottlenecks identified in the prior release. While both versions provide the core Svelte experience, the reduced size of version 2.13.5 makes it a potentially more attractive option for developers concerned about efficiency.
All the vulnerabilities related to the version 2.13.5 of the package
Svelte vulnerable to XSS when using objects during server-side rendering
The package svelte before 3.49.0 is vulnerable to Cross-site Scripting (XSS) due to improper input sanitization and to improper escape of attributes when using objects during SSR (Server-Side Rendering). Exploiting this vulnerability is possible via objects with a custom toString() function.
Svelte has a potential mXSS vulnerability due to improper HTML escaping
A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19.
Svelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules:
" -> "& -> &< -> <& -> &The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks. More specifically, this can occur when injecting malicious content into an attribute within a <noscript> tag.
A vulnerable page (+page.svelte):
<script>
import { page } from "$app/stores"
// user input
let href = $page.url.searchParams.get("href") ?? "https://example.com";
</script>
<noscript>
<a href={href}>test</a>
</noscript>
If a user accesses the following URL,
http://localhost:4173/?href=</noscript><script>alert(123)</script>
then, alert(123) will be executed.
XSS, when using an attribute within a noscript tag