A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19.
Details
Svelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules:
If the string is an attribute value:
" -> "
& -> &
Other characters -> No conversion
Otherwise:
< -> <
& -> &
Other characters -> No conversion
The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks. More specifically, this can occur when injecting malicious content into an attribute within a <noscript> tag.
PoC
A vulnerable page (+page.svelte):
<script>
import { page } from "$app/stores"
// user input
let href = $page.url.searchParams.get("href") ?? "https://example.com";
</script>
<noscript>
<a href={href}>test</a>
</noscript>
This PR contains the following updates:
4.2.18->4.2.19GitHub Vulnerability Alerts
CVE-2024-45047
Summary
A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19.
Details
Svelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules:
"->"&->&<-><&->&The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks. More specifically, this can occur when injecting malicious content into an attribute within a
<noscript>tag.PoC
A vulnerable page (
+page.svelte):If a user accesses the following URL,
then,
alert(123)will be executed.Impact
XSS, when using an attribute within a noscript tag
Release Notes
sveltejs/svelte (svelte)
### [`v4.2.19`](https://redirect.github.com/sveltejs/svelte/releases/tag/svelte%404.2.19) [Compare Source](https://redirect.github.com/sveltejs/svelte/compare/svelte@4.2.18...svelte@4.2.19) ##### Patch Changes - fix: ensure typings for `Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.