search

edonyzpc / personal-assistant

A plugin which help you to automatically manage Obsidian.
Apache License 2.0
75 stars 2 forks source link

chore(deps): update dependency svelte to v4.2.19 [security] - autoclosed #257

Closed renovate[bot] closed 2 days ago

renovate[bot] commented 2 weeks ago

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
svelte (source) 4.2.12 -> 4.2.19 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-45047

Summary

A potential XSS vulnerability exists in Svelte for versions prior to 4.2.19.

Details

Svelte improperly escapes HTML on server-side rendering. It converts strings according to the following rules:

The assumption is that attributes will always stay as such, but in some situation the final DOM tree rendered on browsers is different from what Svelte expects on server-side rendering. This may be leveraged to perform XSS attacks. More specifically, this can occur when injecting malicious content into an attribute within a <noscript> tag.

PoC

A vulnerable page (+page.svelte):

<script>
import { page } from "$app/stores"

// user input
let href = $page.url.searchParams.get("href") ?? "https://example.com";
</script>

<noscript>
  <a href={href}>test</a>
</noscript>

If a user accesses the following URL,

http://localhost:4173/?href=</noscript><script>alert(123)</script>

then, alert(123) will be executed.

Impact

XSS, when using an attribute within a noscript tag

Release Notes

sveltejs/svelte (svelte) ### [`v4.2.19`](https://togithub.com/sveltejs/svelte/releases/tag/svelte%404.2.19) [Compare Source](https://togithub.com/sveltejs/svelte/compare/svelte@4.2.18...svelte@4.2.19) ##### Patch Changes - fix: ensure typings for `` are picked up ([#​12902](https://togithub.com/sveltejs/svelte/pull/12902)) - fix: escape `<` in attribute strings ([#​12989](https://togithub.com/sveltejs/svelte/pull/12989)) ### [`v4.2.18`](https://togithub.com/sveltejs/svelte/releases/tag/svelte%404.2.18) [Compare Source](https://togithub.com/sveltejs/svelte/compare/svelte@4.2.17...svelte@4.2.18) ##### Patch Changes - chore: speed up regex ([#​11922](https://togithub.com/sveltejs/svelte/pull/11922)) ### [`v4.2.17`](https://togithub.com/sveltejs/svelte/releases/tag/svelte%404.2.17) [Compare Source](https://togithub.com/sveltejs/svelte/compare/svelte@4.2.16...svelte@4.2.17) ##### Patch Changes - fix: correctly handle falsy values of style directives in SSR mode ([#​11584](https://togithub.com/sveltejs/svelte/pull/11584)) ### [`v4.2.16`](https://togithub.com/sveltejs/svelte/releases/tag/svelte%404.2.16) [Compare Source](https://togithub.com/sveltejs/svelte/compare/svelte@4.2.15...svelte@4.2.16) ##### Patch Changes - fix: check if svelte component exists on custom element destroy ([#​11489](https://togithub.com/sveltejs/svelte/pull/11489)) ### [`v4.2.15`](https://togithub.com/sveltejs/svelte/releases/tag/svelte%404.2.15) [Compare Source](https://togithub.com/sveltejs/svelte/compare/svelte@4.2.14...svelte@4.2.15) ##### Patch Changes - support attribute selector inside :global() ([#​11135](https://togithub.com/sveltejs/svelte/pull/11135)) ### [`v4.2.14`](https://togithub.com/sveltejs/svelte/releases/tag/svelte%404.2.14) [Compare Source](https://togithub.com/sveltejs/svelte/compare/svelte@4.2.13...svelte@4.2.14) ##### Patch Changes - fix parsing camelcase container query name ([#​11131](https://togithub.com/sveltejs/svelte/pull/11131)) ### [`v4.2.13`](https://togithub.com/sveltejs/svelte/releases/tag/svelte%404.2.13) [Compare Source](https://togithub.com/sveltejs/svelte/compare/svelte@4.2.12...svelte@4.2.13) ##### Patch Changes - fix: applying :global for +,~ sibling combinator when slots are present ([#​9282](https://togithub.com/sveltejs/svelte/pull/9282))

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

This PR was generated by Mend Renovate. View the repository job log.