Svelte version 3.16.2 arrives shortly after 3.16.1, offering subtle yet important refinements for developers building cybernetically enhanced web applications. Both versions share the same core mission: providing a modern approach to web development that shifts work from the browser to the compile step. Crucially, both versions maintain identical development dependencies, ensuring a consistent development environment. This includes vital tools like Rollup for bundling, TypeScript for type safety, and ESLint for code quality.
The primary differences between Svelte 3.16.1 and 3.16.2 lie in their internal implementations and build processes. Looking into the dist section of each package we can see that version increased to 254 from 205 in the number of files included in the distribution, also the unpacked size grew a modest 24KB approximately. Although the specifics aren't detailed here, these changes suggest optimizations or bug fixes that improve performance or stability. The update from code-red version 0.0.26 to 0.0.27 in the newer version indicates there was a bug fix associated with this package as well. While both versions offer the same core developer experience, upgrading to 3.16.2 gives developers the most polished experience with the framework. Given that the core tooling remains consistent, the upgrade process should be seamless, allowing developers to leverage the latest improvements without introducing compatibility concerns. Svelte's approach promotes efficient and maintainable code through innovative compilation techniques.
All the vulnerabilities related to the version 3.16.2 of the package
Svelte vulnerable to XSS when using objects during server-side rendering
The package svelte before 3.49.0 is vulnerable to Cross-site Scripting (XSS) due to improper input sanitization and to improper escape of attributes when using objects during SSR (Server-Side Rendering). Exploiting this vulnerability is possible via objects with a custom toString() function.
Svelte has a potential mXSS vulnerability due to improper HTML escaping
A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19.
Svelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules:
" -> "& -> &< -> <& -> &The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks. More specifically, this can occur when injecting malicious content into an attribute within a <noscript> tag.
A vulnerable page (+page.svelte):
<script>
import { page } from "$app/stores"
// user input
let href = $page.url.searchParams.get("href") ?? "https://example.com";
</script>
<noscript>
<a href={href}>test</a>
</noscript>
If a user accesses the following URL,
http://localhost:4173/?href=</noscript><script>alert(123)</script>
then, alert(123) will be executed.
XSS, when using an attribute within a noscript tag