Svelte is a UI framework known for its "disappearing" nature, meaning it shifts the workload from the browser to the compile-time, resulting in highly performant JavaScript. Comparing versions 2.4.3 and 2.4.2, developers will find subtle changes under the hood. Both versions share identical development dependencies, showcasing a consistent toolchain for building and testing Svelte components. These dependencies include tools for linting (eslint), bundling (rollup), testing (mocha, jsdom, nightmare), and TypeScript support, ensuring a robust development experience. The core framework and the surrounding tooling ecosystem remain consistent, providing a stable base for developers.
A key difference lies in the release date, with version 2.4.3 being released later on the same day as 2.4.2. The unpacked size differs slightly. This usually means bug fixes and minor improvements. While the core feature set is likely the same, developers who upgrade to 2.4.3 can expect a more refined and stable experience, even if the changes are not immediately visible. The consistent use of industry-standard tools like Rollup and TypeScript makes Svelte accessible to developers familiar with modern JavaScript development practices, promoting a smoother onboarding process. Choosing the latest version offers the benefit of the most up-to-date refinements and potentially addresses any immediate issues discovered in the prior release.
All the vulnerabilities related to the version 2.4.3 of the package
Svelte vulnerable to XSS when using objects during server-side rendering
The package svelte before 3.49.0 is vulnerable to Cross-site Scripting (XSS) due to improper input sanitization and to improper escape of attributes when using objects during SSR (Server-Side Rendering). Exploiting this vulnerability is possible via objects with a custom toString() function.
Svelte has a potential mXSS vulnerability due to improper HTML escaping
A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19.
Svelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules:
" -> "& -> &< -> <& -> &The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks. More specifically, this can occur when injecting malicious content into an attribute within a <noscript> tag.
A vulnerable page (+page.svelte):
<script>
import { page } from "$app/stores"
// user input
let href = $page.url.searchParams.get("href") ?? "https://example.com";
</script>
<noscript>
<a href={href}>test</a>
</noscript>
If a user accesses the following URL,
http://localhost:4173/?href=</noscript><script>alert(123)</script>
then, alert(123) will be executed.
XSS, when using an attribute within a noscript tag