Serious Security Vulnerability! SSR rendering code injection trivial in style:prop handling #8085
Comments
|
We've got an escape function we can use for this: svelte/src/runtime/internal/ssr.ts Line 98 in 01a9116 I'm guessing it's not being called in this code path though |
5 tasks
|
This should be fixed now in 3.54.0. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
When performing SSR, Svelte does not HTML encode the values of style:prop attributes when they're inserted in to a generated style="" property on plain html elements. If style:prop attributes contain user generated content, and that content can be made to be a string, it is trivial to inject javascript in to the page. A real-world example is when users are able to select which font they would like their content to be displayed in.
In the sveltekit case, this code will execute if users browse directly to the URL, or reload the page while on that path, or if the sveltekit router was disabled on the previous linking page causing a full page load.
Reproduction
The issue is demonstrated here: https://github.com/Bluebie/svelte-ssr-attributes-insecure as a sveltekit demo project.
Logs
No response
System Info
System: OS: macOS 13.0.1 CPU: (8) arm64 Apple M1 Memory: 45.22 MB / 8.00 GB Shell: 5.8.1 - /bin/zsh Binaries: Node: 18.0.0 - /opt/homebrew/bin/node npm: 8.6.0 - /opt/homebrew/bin/npm Browsers: Chrome: 108.0.5359.94 Edge: 106.0.1370.52 Firefox: 107.0.1 Safari: 16.1 Safari Technology Preview: 16.4 npmPackages: svelte: ^3.53.1 => 3.53.1Severity
blocking all usage of svelte
The text was updated successfully, but these errors were encountered: