Svelte 2.9.7 is a minor patch release of the popular "magical disappearing UI framework," building upon version 2.9.6. Both versions share the same core description, emphasizing Svelte's innovative approach to web development where the framework's work is done at compile time, resulting in highly efficient and performant JavaScript.
Developers familiar with Svelte 2.9.6 will find the 2.9.7 update a seamless transition. The core API and functionalities remain consistent. The primary difference lies in the dist section. Svelte 2.9.7 has a packed size of 2,599,102 bytes which is slightly more than svelte 2.9.6 size of 2,596,633. Both have 17 files. Typically, such a small increment suggests bug fixes, performance improvements, or minor adjustments to internal modules rather than significant feature additions.
For developers considering adopting Svelte, both versions offer a compelling choice for building reactive user interfaces. Svelte distinguishes itself by compiling components into highly optimized vanilla JavaScript, avoiding the overhead of a virtual DOM. This leads to faster load times and improved runtime performance, especially beneficial for projects prioritizing speed and efficiency. The extensive list of devDependencies in both packages indicate a robust development environment with tools for testing, linting, bundling, and more, ensuring code quality and a smooth developer experience. Given the minor nature of the patch, using either version provides access to Svelte's core benefits, though 2.9.7 is recommended for the latest fixes and refinements.
All the vulnerabilities related to the version 2.9.7 of the package
Svelte vulnerable to XSS when using objects during server-side rendering
The package svelte before 3.49.0 is vulnerable to Cross-site Scripting (XSS) due to improper input sanitization and to improper escape of attributes when using objects during SSR (Server-Side Rendering). Exploiting this vulnerability is possible via objects with a custom toString() function.
Svelte has a potential mXSS vulnerability due to improper HTML escaping
A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19.
Svelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules:
" -> "& -> &< -> <& -> &The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks. More specifically, this can occur when injecting malicious content into an attribute within a <noscript> tag.
A vulnerable page (+page.svelte):
<script>
import { page } from "$app/stores"
// user input
let href = $page.url.searchParams.get("href") ?? "https://example.com";
</script>
<noscript>
<a href={href}>test</a>
</noscript>
If a user accesses the following URL,
http://localhost:4173/?href=</noscript><script>alert(123)</script>
then, alert(123) will be executed.
XSS, when using an attribute within a noscript tag