Closed quasarchimaere closed 2 years ago
Ok, I've found a way for a user to inject XSS...
https://svelte.dev/repl/d6511a1329ba4f7996c83cbc0b73951e?version=3.49.0
Fixed in v16
@rob-balfre not to be a stickler here, but can you please explain to me why the fix is adding an extra function that strips any (possibly) bad content from the option, rather than just removing the @html
parameter that circumvents the built in svelte escaping?
Because I use it ☺️
since repro steps have been posted, and the issue is still present wouldnt we want to re-open it?
373 "Possibility for XSS injection"