Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Serious Security Vulnerability! SSR rendering code injection trivial in style:prop handling #8085

Bluebie opened this issue Dec 5, 2022 · 2 comments · Fixed by #8087


Copy link

Bluebie commented Dec 5, 2022

Describe the bug

When performing SSR, Svelte does not HTML encode the values of style:prop attributes when they're inserted in to a generated style="" property on plain html elements. If style:prop attributes contain user generated content, and that content can be made to be a string, it is trivial to inject javascript in to the page. A real-world example is when users are able to select which font they would like their content to be displayed in.

In the sveltekit case, this code will execute if users browse directly to the URL, or reload the page while on that path, or if the sveltekit router was disabled on the previous linking page causing a full page load.


The issue is demonstrated here: as a sveltekit demo project.

  1. clone the repo
  2. npm i
  3. npm run dev
  4. browse directly to /pop-alert
  5. You should see an alert popup, demonstrating unexpected code execution, whenever loading the /pop-alert route with a full page load.

Screenshot 2022-12-05 at 10 58 37 pm


No response

System Info

    OS: macOS 13.0.1
    CPU: (8) arm64 Apple M1
    Memory: 45.22 MB / 8.00 GB
    Shell: 5.8.1 - /bin/zsh
    Node: 18.0.0 - /opt/homebrew/bin/node
    npm: 8.6.0 - /opt/homebrew/bin/npm
    Chrome: 108.0.5359.94
    Edge: 106.0.1370.52
    Firefox: 107.0.1
    Safari: 16.1
    Safari Technology Preview: 16.4
    svelte: ^3.53.1 => 3.53.1


blocking all usage of svelte

Copy link

We've got an escape function we can use for this:

export function escape_attribute_value(value) {

I'm guessing it's not being called in this code path though

Copy link

This should be fixed now in 3.54.0.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
None yet

Successfully merging a pull request may close this issue.

3 participants