Headline
GHSA-gw32-9rmw-qwww: svelte is vulnerable to XSS with textarea bind:value
Summary
A server-side rendered <textarea> with two-way bound value does not have its value correctly escaped in the rendered HTML.
Details
In SSR, <textarea bind:value={...}> does not have its value escaped when it is rendered into the HTML as <textarea>...</textarea>.
PoC
Put this in a server-side-rendered Svelte component:
<script>
let value = `test'"></textarea><script` + `>alert('BIM');</sc` + `ript>`;
</script>
<textarea bind:value />
Impact
- Only affects SSR
- Needs a
<textarea bind:value>filled by user content via two-way binding
Summary
A server-side rendered <textarea> with two-way bound value does not have its value correctly escaped in the rendered HTML.
Details
In SSR, <textarea bind:value={…}> does not have its value escaped when it is rendered into the HTML as <textarea>…</textarea>.
PoC
Put this in a server-side-rendered Svelte component:
<script>
let value = `test'"></textarea><script` + `>alert('BIM');</sc` + `ript>`;
</script>
<textarea bind:value />
Impact
- Only affects SSR
- Needs a <textarea bind:value> filled by user content via two-way binding
References
- GHSA-gw32-9rmw-qwww
- sveltejs/svelte@a31dec5