Svelte 3.29.5, released on November 9, 2020, builds upon the solid foundation of Svelte 3.29.4 (released October 22, 2020) to provide developers with a robust framework for building high-performance web applications. While the core functionality remains consistent, a key difference lies in the updated development dependencies. Specifically, @sveltejs/eslint-config has been bumped from version v5.4.0 to v5.6.0. This update introduces refinements and improvements to the ESLint configuration used for linting Svelte code, offering more accurate and consistent code style checks, potentially catching subtle errors, and enhancing overall code quality.
For developers relying on consistent linting rules, this update is significant as it ensures adherence to the latest best practices recommended by the Svelte team. The updated configuration might require minor adjustments to existing projects to align with the new linting standards, fostering cleaner and better maintainable codebases. Beyond this, both versions provide the same powerful features Svelte is known for: component-based architecture, reactivity, and a compiler that transforms code into highly optimized vanilla JavaScript at build time. The unpacked size has increased slightly in the later version, from 5986622 to 6001240, suggesting minor changes or additions in the compiled output or included assets. Both versions are licensed under MIT and maintained by Rich Harris. Svelte targets front-end developers looking for efficient solutions and optimal performance leveraging build time compilation contrary to heavy client side frameworks.
All the vulnerabilities related to the version 3.29.5 of the package
Svelte vulnerable to XSS when using objects during server-side rendering
The package svelte before 3.49.0 is vulnerable to Cross-site Scripting (XSS) due to improper input sanitization and to improper escape of attributes when using objects during SSR (Server-Side Rendering). Exploiting this vulnerability is possible via objects with a custom toString() function.
Svelte has a potential mXSS vulnerability due to improper HTML escaping
A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19.
Svelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules:
" -> "& -> &< -> <& -> &The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks. More specifically, this can occur when injecting malicious content into an attribute within a <noscript> tag.
A vulnerable page (+page.svelte):
<script>
import { page } from "$app/stores"
// user input
let href = $page.url.searchParams.get("href") ?? "https://example.com";
</script>
<noscript>
<a href={href}>test</a>
</noscript>
If a user accesses the following URL,
http://localhost:4173/?href=</noscript><script>alert(123)</script>
then, alert(123) will be executed.
XSS, when using an attribute within a noscript tag