logo

Database

Server side cross-site scripting In svelte

Description

svelte is vulnerable to XSS with textarea bind:value

Summary

A server-side rendered <textarea> with two-way bound value does not have its value correctly escaped in the rendered HTML.

Details

In SSR, <textarea bind:value={...}> does not have its value escaped when it is rendered into the HTML as <textarea>...</textarea>.

PoC

Put this in a server-side-rendered Svelte component:

<script>
  let value = `test'"></textarea><script` + `>alert('BIM');</sc` + `ript>`;
</script>

<textarea bind:value />

Impact

    Only affects SSR

    Needs a <textarea bind:value> filled by user content via two-way binding

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. GHSA-gw32-9rmw-qwww

References

1. https://github.com/sveltejs/svelte/security/advisories/GHSA-gw32-9rmw-qwww2. https://github.com/sveltejs/svelte/commit/a31dec5eb30978cff7ff4d77f4bf316841f711bc

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.

FLAT-CY0P2 – Vulnerability