Svelte, a popular JavaScript framework for building reactive web applications, released version 3.37.0 shortly after version 3.36.0. While both share the same core description of "Cybernetically enhanced web apps" emphasizing Svelte's focus on performance and efficiency through its compiler-based approach, a closer look reveals subtle differences. Both versions depends on the same dev dependencies such as rollup, @rollup/plugin-typescript, @typescript-eslint/parser, eslint and others. The releaseDate indicates a very recent update, suggesting the changes might be bug fixes or small improvements rather than major architectural shifts. Developers should note the releaseDate difference, with 3.37.0 being released on March 31, 2021, and 3.36.0 on March 30, 2021. The most noticeable difference lies with the unpackedSize within the dist object of the package manifest. There has been a slight growth between the two versions. unpackedSize for 3.37.0 is 6590886 and for 3.36.0 is 6590530. This increase might be a reflection of minor additions to the runtime code, updated documentation, or potentially other non-breaking changes. It's usually a good practice for developers to upgrade to the latest patch version to benefit from the most up-to-date bug fixes and performance enhancements and for any other latest features that are provided by the dev team.
All the vulnerabilities related to the version 3.37.0 of the package
Svelte vulnerable to XSS when using objects during server-side rendering
The package svelte before 3.49.0 is vulnerable to Cross-site Scripting (XSS) due to improper input sanitization and to improper escape of attributes when using objects during SSR (Server-Side Rendering). Exploiting this vulnerability is possible via objects with a custom toString() function.
Svelte has a potential mXSS vulnerability due to improper HTML escaping
A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19.
Svelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules:
" -> "& -> &< -> <& -> &The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks. More specifically, this can occur when injecting malicious content into an attribute within a <noscript> tag.
A vulnerable page (+page.svelte):
<script>
import { page } from "$app/stores"
// user input
let href = $page.url.searchParams.get("href") ?? "https://example.com";
</script>
<noscript>
<a href={href}>test</a>
</noscript>
If a user accesses the following URL,
http://localhost:4173/?href=</noscript><script>alert(123)</script>
then, alert(123) will be executed.
XSS, when using an attribute within a noscript tag