Nixpkgs security tracker
Untriaged
Svelte vulnerable to XSS during SSR with contenteditable `bind:innerText` and `bind:textContent`
Svelte performance oriented web framework. Prior to version 5.53.5, the contents of `bind:innerText` and `bind:textContent` on `contenteditable` elements were not properly escaped. This could enable HTML injection and Cross-Site Scripting (XSS) if rendering untrusted data as the binding's initial value on the server. Version 5.53.5 fixes the issue.
References
-
https://github.com/sveltejs/svelte/security/advisories/GHSA-phwv-c562-gvmh x_refsource_CONFIRM
-
https://github.com/sveltejs/svelte/releases/tag/svelte%405.53.5 x_refsource_MISC
Affected products
svelte
- ==< 5.53.5
Matching in nixpkgs
pkgs.svelte-check
Svelte code checker
pkgs.svelte-language-server
Language server (implementing the language server protocol) for Svelte
pkgs.vscode-extensions.svelte.svelte-vscode
Svelte language support for VS Code
pkgs.tree-sitter-grammars.tree-sitter-svelte
None
-
nixos-unstable 0.0.0+rev=ae5199d
- nixpkgs-unstable 0.0.0+rev=ae5199d
- nixos-unstable-small 0.0.0+rev=ae5199d
pkgs.python312Packages.tree-sitter-grammars.tree-sitter-svelte
Python bindings for tree-sitter-svelte
pkgs.python313Packages.tree-sitter-grammars.tree-sitter-svelte
Python bindings for tree-sitter-svelte
pkgs.python314Packages.tree-sitter-grammars.tree-sitter-svelte
Python bindings for tree-sitter-svelte
Package maintainers
-
@A-jay98 Ali Jamadi <ali@jamadi.me>
-
@adfaure Adrien Faure <adfaure@pm.me>
-
@mightyiam Shahar "Dawn" Or <mightyiampresence@gmail.com>
-
@stepbrobd Yifei Sun <ysun@hey.com>
-
@fabianhauser Fabian Hauser <fabian.nixos@fh2.ch>
-
@pyrox0 Pyrox <pyrox@pyrox.dev>