Nixpkgs security tracker
Untriaged
Svelte SSR does not validate dynamic element tag names in `<svelte:element>`
svelte performance oriented web framework. Prior to 5.51.5, when using <svelte:element this={tag}> in server-side rendering, the provided tag name is not validated or sanitized before being emitted into the HTML output. If the tag string contains unexpected characters, it can result in HTML injection in the SSR output. Client-side rendering is not affected. This vulnerability is fixed in 5.51.5.
References
-
https://github.com/sveltejs/svelte/security/advisories/GHSA-m56q-vw4c-c2cp x_refsource_CONFIRM
Affected products
svelte
- ==< 5.51.5
Matching in nixpkgs
pkgs.svelte-check
Svelte code checker
pkgs.svelte-language-server
Language server (implementing the language server protocol) for Svelte
pkgs.vscode-extensions.svelte.svelte-vscode
Svelte language support for VS Code
pkgs.tree-sitter-grammars.tree-sitter-svelte
None
-
nixos-unstable 0.0.0+rev=ae5199d
- nixpkgs-unstable 0.0.0+rev=ae5199d
- nixos-unstable-small 0.0.0+rev=ae5199d
pkgs.python312Packages.tree-sitter-grammars.tree-sitter-svelte
Python bindings for tree-sitter-svelte
pkgs.python313Packages.tree-sitter-grammars.tree-sitter-svelte
Python bindings for tree-sitter-svelte
pkgs.python314Packages.tree-sitter-grammars.tree-sitter-svelte
Python bindings for tree-sitter-svelte
Package maintainers
-
@A-jay98 Ali Jamadi <ali@jamadi.me>
-
@adfaure Adrien Faure <adfaure@pm.me>
-
@mightyiam Shahar "Dawn" Or <mightyiampresence@gmail.com>
-
@stepbrobd Yifei Sun <ysun@hey.com>
-
@fabianhauser Fabian Hauser <fabian.nixos@fh2.ch>
-
@pyrox0 Pyrox <pyrox@pyrox.dev>