Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[fix] harden attribute escaping during ssr #7530

merged 3 commits into from
Jun 20, 2022


Copy link

@mrkishi mrkishi commented May 13, 2022

Upon reviewing #5701 I noticed we don't escape attributes when using objects during SSR. This introduces a (small) vulnerability where objects with a custom toString() implementation turn seemingly safe components into an XSS vector:

<!-- SeeminglySafe.svelte -->
	export let attr = undefined;
	export let attrs = {};

	const safe_attrs = {
		foo: 'foo',
		bar: 'bar'

{#if attr !== undefined}
	Variant 1: <div {...safe_attrs} {attr}/>
	Variant 2: <div {...attrs}/>

<!-- Component.svelte -->
	import ActuallyVulnerable from './SeeminglySafe.svelte';

	export let untrusted = '"><script>alert("xss")<\/script>';

	const model = {
		data: untrusted,

		// I'm so helpful! Don't you _love_ OOP?
		toString() {

<ActuallyVulnerable attr={model} />
<ActuallyVulnerable attrs={{ foo: 'foo', bar: model }} />

<!-- SSRed html -->
Variant 1: <div foo="foo" bar="bar" attr=""><script>alert("xss")</script>"></div>
Variant 2: <div foo="foo" bar=""><script>alert("xss")</script>"></div>

Before submitting the PR, please make sure you do the following

  • It's really useful if your PR references an issue where it is discussed ahead of time. In many cases, features are absent for a reason. For large changes, please create an RFC:
  • Prefix your PR title with [feat], [fix], [chore], or [docs].
  • This message body should clearly illustrate what problems it solves.
  • Ideally, include a test that fails without this PR but passes with it.


  • Run the tests with npm test and lint the project with npm run lint

Copy link

Any reason why this cannot be merged?
This should solve this vulnerability.

@dummdidumm dummdidumm merged commit f8605d6 into sveltejs:master Jun 20, 2022
Copy link

Hello, will this vulnerability really be reproduced? My version is 3.45.0. I tried it according to your method, and there is no XSS.

Copy link
Member Author

mrkishi commented Jul 20, 2022

@Wninayyds Yeah, it's present in 3.45.0—the fix was released in 3.49.0. Note that it only affects SSR, not components running in the browser.

You should be safe as long as you aren't overriding toString, so it's extremely likely you're okay.

@mrkishi mrkishi deleted the xss-vuln branch July 20, 2022 01:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
None yet

Successfully merging this pull request may close these issues.

None yet

5 participants