Svelte version 2.6.3 is a minor update to the popular "magical disappearing UI framework," building upon version 2.6.2. Both versions share the same core description, MIT license, author (Rich Harris), and repository, indicating a continuation of the established project. A key difference lies in the release date, with 2.6.3 published on May 17, 2018, following 2.6.2's release on May 16, 2018, suggesting a quick follow-up release, potentially addressing bug fixes or minor enhancements.
The devDependencies sections of both versions are quite extensive and very similar, encompassing a wide array of tools for development, testing, and building, including rollup, typescript, eslint, and various rollup plugins. A notable difference is the slight bump in the tiny-glob dependency, moving from version 0.2.0 in 2.6.2 to 0.2.1 in 2.6.3. Although seemingly minor, such a change could include essential bug fixes or performance improvements in globbing functionality.
Furthermore, differences can be observed in the "dist" section, notably the unpackedSize. Version 2.6.3 is slightly larger at 2592169 bytes compared to 2.6.2's 2591653 bytes. This implies the introduction of some new code or assets, however small, warranting the new release. These cumulative changes, though incremental, contribute to the ongoing evolution of Svelte, aimed at providing a streamlined developer experience and improved performance for building reactive web applications. Developers should check the changelog to fully comprehend the changes.
All the vulnerabilities related to the version 2.6.3 of the package
Svelte vulnerable to XSS when using objects during server-side rendering
The package svelte before 3.49.0 is vulnerable to Cross-site Scripting (XSS) due to improper input sanitization and to improper escape of attributes when using objects during SSR (Server-Side Rendering). Exploiting this vulnerability is possible via objects with a custom toString() function.
Svelte has a potential mXSS vulnerability due to improper HTML escaping
A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19.
Svelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules:
" -> "& -> &< -> <& -> &The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks. More specifically, this can occur when injecting malicious content into an attribute within a <noscript> tag.
A vulnerable page (+page.svelte):
<script>
import { page } from "$app/stores"
// user input
let href = $page.url.searchParams.get("href") ?? "https://example.com";
</script>
<noscript>
<a href={href}>test</a>
</noscript>
If a user accesses the following URL,
http://localhost:4173/?href=</noscript><script>alert(123)</script>
then, alert(123) will be executed.
XSS, when using an attribute within a noscript tag