A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19.
Details
Svelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules:
If the string is an attribute value:
" -> "
& -> &
Other characters -> No conversion
Otherwise:
< -> <
& -> &
Other characters -> No conversion
The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks. More specifically, this can occur when injecting malicious content into an attribute within a <noscript> tag.
PoC
A vulnerable page (+page.svelte):
<script>
import { page } from "$app/stores"
// user input
let href = $page.url.searchParams.get("href") ?? "https://example.com";
</script>
<noscript>
<a href={href}>test</a>
</noscript>
XSS, when using an attribute within a noscript tag
Release Notes
sveltejs/svelte (svelte)
### [`v4.2.19`](https://togithub.com/sveltejs/svelte/releases/tag/svelte%404.2.19)
[Compare Source](https://togithub.com/sveltejs/svelte/compare/svelte@4.2.18...svelte@4.2.19)
##### Patch Changes
- fix: ensure typings for `` are picked up ([#12902](https://togithub.com/sveltejs/svelte/pull/12902))
- fix: escape `<` in attribute strings ([#12989](https://togithub.com/sveltejs/svelte/pull/12989))
### [`v4.2.18`](https://togithub.com/sveltejs/svelte/releases/tag/svelte%404.2.18)
[Compare Source](https://togithub.com/sveltejs/svelte/compare/svelte@4.2.17...svelte@4.2.18)
##### Patch Changes
- chore: speed up regex ([#11922](https://togithub.com/sveltejs/svelte/pull/11922))
### [`v4.2.17`](https://togithub.com/sveltejs/svelte/releases/tag/svelte%404.2.17)
[Compare Source](https://togithub.com/sveltejs/svelte/compare/svelte@4.2.16...svelte@4.2.17)
##### Patch Changes
- fix: correctly handle falsy values of style directives in SSR mode ([#11584](https://togithub.com/sveltejs/svelte/pull/11584))
### [`v4.2.16`](https://togithub.com/sveltejs/svelte/releases/tag/svelte%404.2.16)
[Compare Source](https://togithub.com/sveltejs/svelte/compare/svelte@4.2.15...svelte@4.2.16)
##### Patch Changes
- fix: check if svelte component exists on custom element destroy ([#11489](https://togithub.com/sveltejs/svelte/pull/11489))
### [`v4.2.15`](https://togithub.com/sveltejs/svelte/releases/tag/svelte%404.2.15)
[Compare Source](https://togithub.com/sveltejs/svelte/compare/svelte@4.2.14...svelte@4.2.15)
##### Patch Changes
- support attribute selector inside :global() ([#11135](https://togithub.com/sveltejs/svelte/pull/11135))
### [`v4.2.14`](https://togithub.com/sveltejs/svelte/releases/tag/svelte%404.2.14)
[Compare Source](https://togithub.com/sveltejs/svelte/compare/svelte@4.2.13...svelte@4.2.14)
##### Patch Changes
- fix parsing camelcase container query name ([#11131](https://togithub.com/sveltejs/svelte/pull/11131))
### [`v4.2.13`](https://togithub.com/sveltejs/svelte/releases/tag/svelte%404.2.13)
[Compare Source](https://togithub.com/sveltejs/svelte/compare/svelte@4.2.12...svelte@4.2.13)
##### Patch Changes
- fix: applying :global for +,~ sibling combinator when slots are present ([#9282](https://togithub.com/sveltejs/svelte/pull/9282))
### [`v4.2.12`](https://togithub.com/sveltejs/svelte/releases/tag/svelte%404.2.12)
[Compare Source](https://togithub.com/sveltejs/svelte/compare/svelte@4.2.11...svelte@4.2.12)
##### Patch Changes
- fix: properly update `svelte:component` props when there are spread props ([#10604](https://togithub.com/sveltejs/svelte/pull/10604))
### [`v4.2.11`](https://togithub.com/sveltejs/svelte/releases/tag/svelte%404.2.11)
[Compare Source](https://togithub.com/sveltejs/svelte/compare/svelte@4.2.10...svelte@4.2.11)
##### Patch Changes
- fix: check that component wasn't instantiated in `connectedCallback` ([#10466](https://togithub.com/sveltejs/svelte/pull/10466))
### [`v4.2.10`](https://togithub.com/sveltejs/svelte/releases/tag/svelte%404.2.10)
[Compare Source](https://togithub.com/sveltejs/svelte/compare/svelte@4.2.9...svelte@4.2.10)
##### Patch Changes
- fix: add `scrollend` event type ([#10336](https://togithub.com/sveltejs/svelte/pull/10336))
- fix: add `fetchpriority` attribute type ([#10390](https://togithub.com/sveltejs/svelte/pull/10390))
- fix: Add `miter-clip` and `arcs` to `stroke-linejoin` attribute ([#10377](https://togithub.com/sveltejs/svelte/pull/10377))
- fix: make inline doc links valid ([#10366](https://togithub.com/sveltejs/svelte/pull/10366))
### [`v4.2.9`](https://togithub.com/sveltejs/svelte/releases/tag/svelte%404.2.9)
[Compare Source](https://togithub.com/sveltejs/svelte/compare/svelte@4.2.8...svelte@4.2.9)
##### Patch Changes
- fix: add types for popover attributes and events ([#10042](https://togithub.com/sveltejs/svelte/pull/10042))
- fix: add `gamepadconnected` and `gamepaddisconnected` events ([#9864](https://togithub.com/sveltejs/svelte/pull/9864))
- fix: make `@types/estree` a dependency ([#10149](https://togithub.com/sveltejs/svelte/pull/10149))
- fix: bump `axobject-query` ([#10167](https://togithub.com/sveltejs/svelte/pull/10167))
### [`v4.2.8`](https://togithub.com/sveltejs/svelte/releases/tag/svelte%404.2.8)
[Compare Source](https://togithub.com/sveltejs/svelte/compare/svelte@4.2.7...svelte@4.2.8)
##### Patch Changes
- fix: port over props that were set prior to initialization ([#9701](https://togithub.com/sveltejs/svelte/pull/9701))
### [`v4.2.7`](https://togithub.com/sveltejs/svelte/releases/tag/svelte%404.2.7)
[Compare Source](https://togithub.com/sveltejs/svelte/compare/svelte@4.2.6...svelte@4.2.7)
##### Patch Changes
- fix: handle spreads within static strings ([#9554](https://togithub.com/sveltejs/svelte/pull/9554))
### [`v4.2.6`](https://togithub.com/sveltejs/svelte/releases/tag/svelte%404.2.6)
[Compare Source](https://togithub.com/sveltejs/svelte/compare/svelte@4.2.5...svelte@4.2.6)
##### Patch Changes
- fix: adjust static attribute regex ([#9551](https://togithub.com/sveltejs/svelte/pull/9551))
### [`v4.2.5`](https://togithub.com/sveltejs/svelte/releases/tag/svelte%404.2.5)
[Compare Source](https://togithub.com/sveltejs/svelte/compare/svelte@4.2.4...svelte@4.2.5)
##### Patch Changes
- fix: ignore expressions in top level script/style tag attributes ([#9498](https://togithub.com/sveltejs/svelte/pull/9498))
### [`v4.2.4`](https://togithub.com/sveltejs/svelte/releases/tag/svelte%404.2.4)
[Compare Source](https://togithub.com/sveltejs/svelte/compare/svelte@4.2.3...svelte@4.2.4)
##### Patch Changes
- fix: handle closing tags inside attribute values ([#9486](https://togithub.com/sveltejs/svelte/pull/9486))
### [`v4.2.3`](https://togithub.com/sveltejs/svelte/releases/tag/svelte%404.2.3)
[Compare Source](https://togithub.com/sveltejs/svelte/compare/svelte@4.2.2...svelte@4.2.3)
##### Patch Changes
- fix: improve a11y-click-events-have-key-events message ([#9358](https://togithub.com/sveltejs/svelte/pull/9358))
- fix: more robust hydration of html tag ([#9184](https://togithub.com/sveltejs/svelte/pull/9184))
### [`v4.2.2`](https://togithub.com/sveltejs/svelte/blob/HEAD/packages/svelte/CHANGELOG.md#422)
[Compare Source](https://togithub.com/sveltejs/svelte/compare/svelte@4.2.1...svelte@4.2.2)
##### Patch Changes
- fix: support camelCase properties on custom elements ([#9328](https://togithub.com/sveltejs/svelte/pull/9328))
- fix: add missing plaintext-only value to contenteditable type ([#9242](https://togithub.com/sveltejs/svelte/pull/9242))
- chore: upgrade magic-string to 0.30.4 ([#9292](https://togithub.com/sveltejs/svelte/pull/9292))
- fix: ignore trailing comments when comparing nodes ([#9197](https://togithub.com/sveltejs/svelte/pull/9197))
### [`v4.2.1`](https://togithub.com/sveltejs/svelte/blob/HEAD/packages/svelte/CHANGELOG.md#421)
[Compare Source](https://togithub.com/sveltejs/svelte/compare/svelte@4.2.0...svelte@4.2.1)
##### Patch Changes
- fix: update style directive when style attribute is present and is updated via an object prop ([#9187](https://togithub.com/sveltejs/svelte/pull/9187))
- fix: css sourcemap generation with unicode filenames ([#9120](https://togithub.com/sveltejs/svelte/pull/9120))
- fix: do not add module declared variables as dependencies ([#9122](https://togithub.com/sveltejs/svelte/pull/9122))
- fix: handle `svelte:element` with dynamic this and spread attributes ([#9112](https://togithub.com/sveltejs/svelte/pull/9112))
- fix: silence false positive reactive component warning ([#9094](https://togithub.com/sveltejs/svelte/pull/9094))
- fix: head duplication when binding is present ([#9124](https://togithub.com/sveltejs/svelte/pull/9124))
- fix: take custom attribute name into account when reflecting property ([#9140](https://togithub.com/sveltejs/svelte/pull/9140))
- fix: add `indeterminate` to the list of HTMLAttributes ([#9180](https://togithub.com/sveltejs/svelte/pull/9180))
- fix: recognize option value on spread attribute ([#9125](https://togithub.com/sveltejs/svelte/pull/9125))
### [`v4.2.0`](https://togithub.com/sveltejs/svelte/blob/HEAD/packages/svelte/CHANGELOG.md#420)
[Compare Source](https://togithub.com/sveltejs/svelte/compare/svelte@4.1.2...svelte@4.2.0)
##### Minor Changes
- feat: move `svelteHTML` from language-tools into core to load the correct `svelte/element` types ([#9070](https://togithub.com/sveltejs/svelte/pull/9070))
### [`v4.1.2`](https://togithub.com/sveltejs/svelte/blob/HEAD/packages/svelte/CHANGELOG.md#412)
[Compare Source](https://togithub.com/sveltejs/svelte/compare/svelte@4.1.1...svelte@4.1.2)
##### Patch Changes
- fix: allow child element with slot attribute within svelte:element ([#9038](https://togithub.com/sveltejs/svelte/pull/9038))
- fix: Add data-\* to svg attributes ([#9036](https://togithub.com/sveltejs/svelte/pull/9036))
### [`v4.1.1`](https://togithub.com/sveltejs/svelte/blob/HEAD/packages/svelte/CHANGELOG.md#411)
[Compare Source](https://togithub.com/sveltejs/svelte/compare/svelte@4.1.0...svelte@4.1.1)
##### Patch Changes
- fix: `svelte:component` spread props change not picked up ([#9006](https://togithub.com/sveltejs/svelte/pull/9006))
### [`v4.1.0`](https://togithub.com/sveltejs/svelte/blob/HEAD/packages/svelte/CHANGELOG.md#410)
[Compare Source](https://togithub.com/sveltejs/svelte/compare/svelte@4.0.5...svelte@4.1.0)
##### Minor Changes
- feat: add ability to extend custom element class ([#8991](https://togithub.com/sveltejs/svelte/pull/8991))
##### Patch Changes
- fix: ensure `svelte:component` evaluates props once ([#8946](https://togithub.com/sveltejs/svelte/pull/8946))
- fix: remove `let:variable` slot bindings from select binding dependencies ([#8969](https://togithub.com/sveltejs/svelte/pull/8969))
- fix: handle destructured primitive literals ([#8871](https://togithub.com/sveltejs/svelte/pull/8871))
- perf: optimize imports that are not mutated or reassigned ([#8948](https://togithub.com/sveltejs/svelte/pull/8948))
- fix: don't add accessor twice ([#8996](https://togithub.com/sveltejs/svelte/pull/8996))
### [`v4.0.5`](https://togithub.com/sveltejs/svelte/blob/HEAD/packages/svelte/CHANGELOG.md#405)
[Compare Source](https://togithub.com/sveltejs/svelte/compare/svelte@4.0.4...svelte@4.0.5)
##### Patch Changes
- fix: generate type definition with nullable types ([#8924](https://togithub.com/sveltejs/svelte/pull/8924))
### [`v4.0.4`](https://togithub.com/sveltejs/svelte/blob/HEAD/packages/svelte/CHANGELOG.md#404)
[Compare Source](https://togithub.com/sveltejs/svelte/compare/svelte@4.0.3...svelte@4.0.4)
##### Patch Changes
- fix: claim svg tags in raw mustache tags correctly ([#8910](https://togithub.com/sveltejs/svelte/pull/8910))
- fix: repair invalid raw html content during hydration ([#8912](https://togithub.com/sveltejs/svelte/pull/8912))
### [`v4.0.3`](https://togithub.com/sveltejs/svelte/blob/HEAD/packages/svelte/CHANGELOG.md#403)
[Compare Source](https://togithub.com/sveltejs/svelte/compare/svelte@4.0.2...svelte@4.0.3)
##### Patch Changes
- fix: handle falsy srcset values ([#8901](https://togithub.com/sveltejs/svelte/pull/8901))
### [`v4.0.2`](https://togithub.com/sveltejs/svelte/blob/HEAD/packages/svelte/CHANGELOG.md#402)
[Compare Source](https://togithub.com/sveltejs/svelte/compare/svelte@4.0.1...svelte@4.0.2)
##### Patch Changes
- fix: reflect all custom element prop updates back to attribute ([#8898](https://togithub.com/sveltejs/svelte/pull/8898))
- fix: shrink custom element baseline a bit ([#8858](https://togithub.com/sveltejs/svelte/pull/8858))
- fix: use non-destructive hydration for all `@html` tags ([#8880](https://togithub.com/sveltejs/svelte/pull/8880))
- fix: align `disclose-version` exports specification ([#8874](https://togithub.com/sveltejs/svelte/pull/8874))
- fix: check srcset when hydrating to prevent needless requests ([#8868](https://togithub.com/sveltejs/svelte/pull/8868))
### [`v4.0.1`](https://togithub.com/sveltejs/svelte/blob/HEAD/packages/svelte/CHANGELOG.md#401)
[Compare Source](https://togithub.com/sveltejs/svelte/compare/svelte@4.0.0...svelte@4.0.1)
##### Patch Changes
- fix: ensure identifiers in destructuring contexts don't clash with existing ones ([#8840](https://togithub.com/sveltejs/svelte/pull/8840))
- fix: ensure `createEventDispatcher` and `ActionReturn` work with types from generic function parameters ([#8872](https://togithub.com/sveltejs/svelte/pull/8872))
- fix: apply transition to `` with local transition ([#8865](https://togithub.com/sveltejs/svelte/pull/8865))
- fix: relax a11y "no redundant role" rule for li, ul, ol ([#8867](https://togithub.com/sveltejs/svelte/pull/8867))
- fix: remove tsconfig.json from published package ([#8859](https://togithub.com/sveltejs/svelte/pull/8859))
### [`v4.0.0`](https://togithub.com/sveltejs/svelte/blob/HEAD/packages/svelte/CHANGELOG.md#400)
[Compare Source](https://togithub.com/sveltejs/svelte/compare/v3.59.2...svelte@4.0.0)
##### Major Changes
- breaking: Minimum supported Node version is now Node 16 ([#8566](https://togithub.com/sveltejs/svelte/pull/8566))
- breaking: Minimum supported webpack version is now webpack 5 ([#8515](https://togithub.com/sveltejs/svelte/pull/8515))
- breaking: Bundlers must specify the `browser` condition when building a frontend bundle for the browser ([#8516](https://togithub.com/sveltejs/svelte/pull/8516))
- breaking: Minimum supported vite-plugin-svelte version is now 2.4.1. SvelteKit users can upgrade to 1.20.0 or newer to ensure a compatible version ([#8516](https://togithub.com/sveltejs/svelte/pull/8516))
- breaking: Minimum supported `rollup-plugin-svelte` version is now 7.1.5 ([198dbcf](https://togithub.com/sveltejs/svelte/commit/198dbcf))
- breaking: Minimum supported `svelte-loader` is now 3.1.8 ([198dbcf](https://togithub.com/sveltejs/svelte/commit/198dbcf))
- breaking: Minimum supported TypeScript version is now TypeScript 5 (it will likely work with lower versions, but we make no guarantees about that) ([#8488](https://togithub.com/sveltejs/svelte/pull/8488))
- breaking: Remove `svelte/register` hook, CJS runtime version and CJS compiler output ([#8613](https://togithub.com/sveltejs/svelte/pull/8613))
- breaking: Stricter types for `createEventDispatcher` (see PR for migration instructions) ([#7224](https://togithub.com/sveltejs/svelte/pull/7224))
- breaking: Stricter types for `Action` and `ActionReturn` (see PR for migration instructions) ([#7442](https://togithub.com/sveltejs/svelte/pull/7442))
- breaking: Stricter types for `onMount` - now throws a type error when returning a function asynchronously to catch potential mistakes around callback functions
(see PR for migration instructions) ([#8136](https://togithub.com/sveltejs/svelte/pull/8136))
- breaking: Overhaul and drastically improve creating custom elements with Svelte (see PR for list of changes and migration instructions) ([#8457](https://togithub.com/sveltejs/svelte/pull/8457))
- breaking: Deprecate `SvelteComponentTyped` in favor of `SvelteComponent` ([#8512](https://togithub.com/sveltejs/svelte/pull/8512))
- breaking: Make transitions local by default to prevent confusion around page navigations ([#6686](https://togithub.com/sveltejs/svelte/issues/6686))
- breaking: Error on falsy values instead of stores passed to `derived` ([#7947](https://togithub.com/sveltejs/svelte/pull/7947))
- breaking: Custom store implementers now need to pass an `update` function additionally to the `set` function ([#6750](https://togithub.com/sveltejs/svelte/pull/6750))
- breaking: Do not expose default slot bindings to named slots and vice versa ([#6049](https://togithub.com/sveltejs/svelte/pull/6049))
- breaking: Change order in which preprocessors are applied ([#8618](https://togithub.com/sveltejs/svelte/pull/8618))
- breaking: The runtime now makes use of `classList.toggle(name, boolean)` which does not work in very old browsers ([#8629](https://togithub.com/sveltejs/svelte/pull/8629))
- breaking: apply `inert` to outroing elements ([#8628](https://togithub.com/sveltejs/svelte/pull/8628))
- breaking: use `CustomEvent` constructor instead of deprecated `createEvent` method ([#8775](https://togithub.com/sveltejs/svelte/pull/8775))
##### Minor Changes
- Add a way to modify attributes for script/style preprocessors ([#8618](https://togithub.com/sveltejs/svelte/pull/8618))
- Improve hydration speed by adding `data-svelte-h` attribute to detect unchanged HTML elements ([#7426](https://togithub.com/sveltejs/svelte/pull/7426))
- Add `a11y no-noninteractive-element-interactions` rule ([#8391](https://togithub.com/sveltejs/svelte/pull/8391))
- Add `a11y-no-static-element-interactions`rule ([#8251](https://togithub.com/sveltejs/svelte/pull/8251))
- Allow `#each` to iterate over iterables like `Set`, `Map` etc ([#7425](https://togithub.com/sveltejs/svelte/issues/7425))
- Improve duplicate key error for keyed `each` blocks ([#8411](https://togithub.com/sveltejs/svelte/pull/8411))
- Warn about `:` in attributes and props to prevent ambiguity with Svelte directives ([#6823](https://togithub.com/sveltejs/svelte/issues/6823))
- feat: add version info to `window`. You can opt out by setting `discloseVersion` to `false` in the compiler options ([#8761](https://togithub.com/sveltejs/svelte/pull/8761))
- feat: smaller minified output for destructor chunks ([#8763](https://togithub.com/sveltejs/svelte/pull/8763))
##### Patch Changes
- Bind `null` option and input values consistently ([#8312](https://togithub.com/sveltejs/svelte/issues/8312))
- Allow `$store` to be used with changing values including nullish values ([#7555](https://togithub.com/sveltejs/svelte/issues/7555))
- Initialize stylesheet with `/* empty */` to enable setting CSP directive that also works in Safari ([#7800](https://togithub.com/sveltejs/svelte/pull/7800))
- Treat slots as if they don't exist when using CSS adjacent and general sibling combinators ([#8284](https://togithub.com/sveltejs/svelte/issues/8284))
- Fix transitions so that they don't require a `style-src 'unsafe-inline'` Content Security Policy (CSP) ([#6662](https://togithub.com/sveltejs/svelte/issues/6662)).
- Explicitly disallow `var` declarations extending the reactive statement scope ([#6800](https://togithub.com/sveltejs/svelte/pull/6800))
- Improve error message when trying to use `animate:` directives on inline components ([#8641](https://togithub.com/sveltejs/svelte/issues/8641))
- fix: export ComponentType from `svelte` entrypoint ([#8578](https://togithub.com/sveltejs/svelte/pull/8578))
- fix: never use html optimization for mustache tags in hydration mode ([#8744](https://togithub.com/sveltejs/svelte/pull/8744))
- fix: derived store types ([#8578](https://togithub.com/sveltejs/svelte/pull/8578))
- Generate type declarations with dts-buddy ([#8578](https://togithub.com/sveltejs/svelte/pull/8578))
- fix: ensure types are loaded with all TS settings ([#8721](https://togithub.com/sveltejs/svelte/pull/8721))
- fix: account for preprocessor source maps when calculating meta info ([#8778](https://togithub.com/sveltejs/svelte/pull/8778))
- chore: deindent cjs output for compiler ([#8785](https://togithub.com/sveltejs/svelte/pull/8785))
- warn on boolean compilerOptions.css ([#8710](https://togithub.com/sveltejs/svelte/pull/8710))
- fix: export correct SvelteComponent type ([#8721](https://togithub.com/sveltejs/svelte/pull/8721))
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
â™» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR contains the following updates:
^3.55.0
->^4.0.0
GitHub Vulnerability Alerts
CVE-2024-45047
Summary
A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19.
Details
Svelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules:
"
->"
&
->&
<
-><
&
->&
The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks. More specifically, this can occur when injecting malicious content into an attribute within a
<noscript>
tag.PoC
A vulnerable page (
+page.svelte
):If a user accesses the following URL,
then,
alert(123)
will be executed.Impact
XSS, when using an attribute within a noscript tag
Release Notes
sveltejs/svelte (svelte)
### [`v4.2.19`](https://togithub.com/sveltejs/svelte/releases/tag/svelte%404.2.19) [Compare Source](https://togithub.com/sveltejs/svelte/compare/svelte@4.2.18...svelte@4.2.19) ##### Patch Changes - fix: ensure typings for `Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
â™» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.