Svelte 3.9.0 represents a minor version update to the Svelte JavaScript framework, building upon the foundations laid by version 3.8.1. Both releases maintain the core philosophy of Svelte, which centers around compiling components to highly efficient, framework-less vanilla JavaScript during build time, resulting in exceptional runtime performance and a small bundle size, highly attractive for developers prioritizing speed and optimization. From a developer experience perspective, users migrating from 3.8.1 to 3.9.0 likely won't face significant breaking changes, ensuring a smooth upgrade path.
While the core development dependencies remain almost identical between the two versions, this update signifies continuous improvement regarding file count and unpacked size, that are also closely linked to the dev experience. Svelte developers benefit in particular from the rich ecosystem of tooling, including Rollup plugins and ESLint integrations, facilitating a streamlined development workflow with features like hot module replacement and static analysis. Svelte's approach tackles the performance bottlenecks often encountered in traditional virtual DOM frameworks, empowering developers to create blazing-fast web applications. The update from version 3.8.1 to 3.9.0 continues to enhance Svelte's capabilities, with continuous improvements and a strong emphasis on developer usability.
All the vulnerabilities related to the version 3.9.0 of the package
Svelte vulnerable to XSS when using objects during server-side rendering
The package svelte before 3.49.0 is vulnerable to Cross-site Scripting (XSS) due to improper input sanitization and to improper escape of attributes when using objects during SSR (Server-Side Rendering). Exploiting this vulnerability is possible via objects with a custom toString() function.
Svelte has a potential mXSS vulnerability due to improper HTML escaping
A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19.
Svelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules:
" -> "& -> &< -> <& -> &The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks. More specifically, this can occur when injecting malicious content into an attribute within a <noscript> tag.
A vulnerable page (+page.svelte):
<script>
import { page } from "$app/stores"
// user input
let href = $page.url.searchParams.get("href") ?? "https://example.com";
</script>
<noscript>
<a href={href}>test</a>
</noscript>
If a user accesses the following URL,
http://localhost:4173/?href=</noscript><script>alert(123)</script>
then, alert(123) will be executed.
XSS, when using an attribute within a noscript tag