Svelte 3.42.4 is a minor version update to the popular Svelte framework, building upon the foundation laid by version 3.42.3. Both versions share the same core description: "Cybernetically enhanced web apps," indicating a continued focus on creating performant and efficient user interfaces. The primary difference lies in the dist object, where the unpackedSize increases slightly from 6929496 bytes in 3.42.3 to 6930694 bytes in 3.42.4. This suggests the update incorporates minor bug fixes, performance improvements, or internal adjustments that contribute to a slightly larger overall package size. From a developer standpoint, migrating from 3.42.3 to 3.42.4 is likely to be seamless, as the core API and functionalities remain consistent. The shared devDependencies highlight the Svelte team's commitment to code quality and developer experience, with tools like ESLint, TypeScript, and Rollup facilitating a robust and maintainable development workflow. Libraries like magic-string estree-walter and css-tree indicate the detailed level used in the package to ensure the developers the best experience possible. Svelte continues to provide a streamlined and efficient way to build web applications, empowering developers to create highly interactive and performant user experiences with minimal overhead. The patch ensures an even better development platform.
All the vulnerabilities related to the version 3.42.4 of the package
Svelte vulnerable to XSS when using objects during server-side rendering
The package svelte before 3.49.0 is vulnerable to Cross-site Scripting (XSS) due to improper input sanitization and to improper escape of attributes when using objects during SSR (Server-Side Rendering). Exploiting this vulnerability is possible via objects with a custom toString() function.
Svelte has a potential mXSS vulnerability due to improper HTML escaping
A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19.
Svelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules:
" -> "& -> &< -> <& -> &The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks. More specifically, this can occur when injecting malicious content into an attribute within a <noscript> tag.
A vulnerable page (+page.svelte):
<script>
import { page } from "$app/stores"
// user input
let href = $page.url.searchParams.get("href") ?? "https://example.com";
</script>
<noscript>
<a href={href}>test</a>
</noscript>
If a user accesses the following URL,
http://localhost:4173/?href=</noscript><script>alert(123)</script>
then, alert(123) will be executed.
XSS, when using an attribute within a noscript tag