XSS vulnerability with textarea

[coyotte508]

Describe the bug

Content inside textarea is not html-escaped during server-side rendering, only after hydration.

This causes an XSS vulnerability, as scripts inside can be run before hydration.

Reproduction

In a +page.svelte, add this:

<textarea value={`test'"></textarea><script>alert('BIM');</script>`} />

That's all there is to it.

This also causes the problem:

<textarea>{`test'"></textarea><script>alert('BIM');</script>`}</textarea>

Link to reproduction: https://github.com/coyotte508/sveltekit-xss

Logs

No response

System Info

System:
    OS: Linux 6.0 Pop!_OS 22.04 LTS
    CPU: (16) x64 11th Gen Intel(R) Core(TM) i7-11800H @ 2.30GHz
    Memory: 16.07 GB / 62.65 GB
    Container: Yes
    Shell: 5.1.16 - /bin/bash
  Binaries:
    Node: 18.15.0 - /usr/local/bin/node
    npm: 9.5.0 - /usr/local/bin/npm
  Browsers:
    Chrome: 111.0.5563.146
    Firefox: 110.0
  npmPackages:
    @sveltejs/adapter-auto: ^2.0.0 => 2.0.0 
    @sveltejs/kit: ^1.5.0 => 1.14.0 
    svelte: ^3.54.0 => 3.57.0 
    vite: ^4.2.0 => 4.2.1

Severity

annoyance

Additional Information

Maybe related to sveltejs/kit#5664

[Conduitry]

Transferring this to the core Svelte repo, as this is an issue with all SSR, regardless of SvelteKit.

[Conduitry]

Thank you very much for the report! This should be fixed now in Svelte 3.58.0.