Svelte 3.16.4 is a minor update to the Svelte JavaScript framework, a tool known for building highly performant web applications with a unique, compiler-based approach. Comparing it to the previous version, 3.16.3, we observe subtle changes primarily impacting the internal workings and packaging of the library. While the core functionality and developer experience remain largely consistent, there are differences in the packaged size and file count. Version 3.16.4 has a smaller unpacked size (3031829 bytes) and fewer files (206) compared to 3.16.3 (3055753 bytes and 254 files respectively). This suggests optimizations in the bundling process or removal of unnecessary files.
For developers, this update is likely transparent in terms of code changes. The development dependencies remain the same, indicating no significant upgrades or alterations to the tooling ecosystem. However, the reduced package size can contribute to slightly faster installation times and potentially smaller bundle sizes for applications using Svelte. The update reflects the ongoing refinement and optimization efforts within the Svelte project, ensuring a lean and efficient development experience. Svelte continues to offer a compelling alternative to traditional frameworks by shifting work from the browser to the compile step, resulting in faster, more efficient web applications.
All the vulnerabilities related to the version 3.16.4 of the package
Svelte vulnerable to XSS when using objects during server-side rendering
The package svelte before 3.49.0 is vulnerable to Cross-site Scripting (XSS) due to improper input sanitization and to improper escape of attributes when using objects during SSR (Server-Side Rendering). Exploiting this vulnerability is possible via objects with a custom toString() function.
Svelte has a potential mXSS vulnerability due to improper HTML escaping
A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19.
Svelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules:
" -> "& -> &< -> <& -> &The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks. More specifically, this can occur when injecting malicious content into an attribute within a <noscript> tag.
A vulnerable page (+page.svelte):
<script>
import { page } from "$app/stores"
// user input
let href = $page.url.searchParams.get("href") ?? "https://example.com";
</script>
<noscript>
<a href={href}>test</a>
</noscript>
If a user accesses the following URL,
http://localhost:4173/?href=</noscript><script>alert(123)</script>
then, alert(123) will be executed.
XSS, when using an attribute within a noscript tag