Information that I would expect to be somewhat private is currently accessible through the website's source code. For instance, it seems LOTS of rows from our member database is simply inlined into the source code. The screenshot below is a very small excerpt from what you can see in the source code.
Steps to reproduce
Step 1. Go to dsek.se
Step 2. Right-click and choose "view source".
Step 3. Scroll down to the bottom script and see the exposed data.
Further information
SvelteKit has a feature where "During server-side rendering, the response will be captured and inlined into the rendered HTML" which seems related to this. However, that's related to making fetch() calls so I'm not sure what's going on here.
Description
Information that I would expect to be somewhat private is currently accessible through the website's source code. For instance, it seems LOTS of rows from our member database is simply inlined into the source code. The screenshot below is a very small excerpt from what you can see in the source code.
Steps to reproduce
Step 1. Go to dsek.se Step 2. Right-click and choose "view source". Step 3. Scroll down to the bottom script and see the exposed data.
Further information
SvelteKit has a feature where "During server-side rendering, the response will be captured and inlined into the rendered HTML" which seems related to this. However, that's related to making
fetch()calls so I'm not sure what's going on here.