Svelte 3.21.0 is a minor update to the Svelte JavaScript framework, building upon the foundation laid by version 3.20.1. Both versions share the core philosophy of "cybernetically enhanced web apps", empowering developers to create performant and reactive user interfaces with a component-based approach. The key difference lies in the internal improvements and refinements incorporated into the newer release. Examining the dist object, Svelte 3.21.0 exhibits a slightly larger unpacked size (3126547 bytes) and file count (204) compared to 3.20.1 (3119755 bytes and 200 files), hinting at new features additions, bug fixes or code optimization efforts within the compiler or runtime. The core compilation and reactivity model remain consistent.
Svelte developers will find a familiar development experience in both versions. This update likely includes subtle enhancements like improved error messages, better handling of edge cases in the reactivity system, or performance optimizations in the compiled code. The dependency lists are identical, with tools for linting, testing, bundling, and TypeScript support remaining unchanged. Developers considering an update from 3.20.1 to 3.21.0 can expect mostly seamless update without major breaking changes. The updated release date indicates these improvements occurred throughout the month.
All the vulnerabilities related to the version 3.21.0 of the package
Svelte vulnerable to XSS when using objects during server-side rendering
The package svelte before 3.49.0 is vulnerable to Cross-site Scripting (XSS) due to improper input sanitization and to improper escape of attributes when using objects during SSR (Server-Side Rendering). Exploiting this vulnerability is possible via objects with a custom toString() function.
Svelte has a potential mXSS vulnerability due to improper HTML escaping
A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19.
Svelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules:
" -> "& -> &< -> <& -> &The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks. More specifically, this can occur when injecting malicious content into an attribute within a <noscript> tag.
A vulnerable page (+page.svelte):
<script>
import { page } from "$app/stores"
// user input
let href = $page.url.searchParams.get("href") ?? "https://example.com";
</script>
<noscript>
<a href={href}>test</a>
</noscript>
If a user accesses the following URL,
http://localhost:4173/?href=</noscript><script>alert(123)</script>
then, alert(123) will be executed.
XSS, when using an attribute within a noscript tag