Open Narigo opened 5 months ago
Btw, on Discord, khromov shared a potential workaround:
Use the onMount
to inject a third party script on the page:
const script = document.createElement('script');
script.src = 'https://example.com/external-script.js';
script.type = 'text/javascript';
document.body.appendChild(script);
This is expected although confusing. The reason is that @html
when rendered on the client uses .innerHTML = ...
which does not execute script tags - this is a security measure by browsers. On the server this doesn't happen because it becomes regular html then.
I'm not sure if we should "fix" this - @html
is already pretty insecure by nature, this would make it even more so.
Describe the bug
When having a string like
<script>alert(1);</script>
inserted to a{@html stringWithScriptTag}
, the script gets evaluated when refreshed on the page or the user gets to the page via a link withrel="external"
. It does not get evaluated when you follow a link withoutrel="external"
to the page.Reproduction
Here is a reproducer on sveltelab.dev with two pages where
page2
includes the script injection.Logs
No response
System Info
Severity
serious, but I can work around it
Additional Information
For my use case, I would be happy if script injections would be always allowed, but I would understand to disallow them always. It doesn't feel right to me that it behaves differently depending on how the user switches to the page in question though. I didn't see this documented somewhere, so I tested it and saw this happening.