Svelte version 2.9.4 represents a subtle but potentially important iteration on version 2.9.3 of this "magical disappearing UI framework". While both share the same core description and a comprehensive suite of development dependencies geared toward testing, linting, bundling, and overall code quality, a closer inspection reveals key distinctions. The most readily apparent difference lies in their release dates and dist attributes. Version 2.9.4 was published on July 15, 2018, several days after 2.9.3, released on July 9, 2018.
The dist objects highlight slight variations. Both archives contain 15 files. However, they differ in their unpacked sizes. Version 2.9.4 has an unpacked size of 2573373 bytes, marginally larger than version 2.9.3's 2573129 bytes. This indicates that some files within the package were modified, resulting in a slightly larger footprint. These changes might encompass bug fixes, performance enhancements, or minor updates to internal modules. Svelte developers should consider upgrading to 2.9.4 to leverage these potential improvements, especially if encountering issues present in older versions or looking for more stable newer versions. Svelte continues to provide tools and updates to ensure reliable and efficient UI development. While the changes between these versions appear minor, they reflect Svelte’s commitment to continuous improvement and a focus on developer experience through ongoing bug fixes and optimisation.
All the vulnerabilities related to the version 2.9.4 of the package
Svelte vulnerable to XSS when using objects during server-side rendering
The package svelte before 3.49.0 is vulnerable to Cross-site Scripting (XSS) due to improper input sanitization and to improper escape of attributes when using objects during SSR (Server-Side Rendering). Exploiting this vulnerability is possible via objects with a custom toString() function.
Svelte has a potential mXSS vulnerability due to improper HTML escaping
A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19.
Svelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules:
" -> "& -> &< -> <& -> &The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks. More specifically, this can occur when injecting malicious content into an attribute within a <noscript> tag.
A vulnerable page (+page.svelte):
<script>
import { page } from "$app/stores"
// user input
let href = $page.url.searchParams.get("href") ?? "https://example.com";
</script>
<noscript>
<a href={href}>test</a>
</noscript>
If a user accesses the following URL,
http://localhost:4173/?href=</noscript><script>alert(123)</script>
then, alert(123) will be executed.
XSS, when using an attribute within a noscript tag