Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

XSS vulnerability with textarea #8429

Closed
coyotte508 opened this issue Mar 28, 2023 · 3 comments · Fixed by #8434
Closed

XSS vulnerability with textarea #8429

coyotte508 opened this issue Mar 28, 2023 · 3 comments · Fixed by #8434

Comments

@coyotte508
Copy link

Describe the bug

Content inside textarea is not html-escaped during server-side rendering, only after hydration.

This causes an XSS vulnerability, as scripts inside can be run before hydration.

Reproduction

In a +page.svelte, add this:

<textarea value={`test'"></textarea><script>alert('BIM');</script>`} />

That's all there is to it.

This also causes the problem:

<textarea>{`test'"></textarea><script>alert('BIM');</script>`}</textarea>

Link to reproduction: https://github.com/coyotte508/sveltekit-xss

Logs

No response

System Info

System:
    OS: Linux 6.0 Pop!_OS 22.04 LTS
    CPU: (16) x64 11th Gen Intel(R) Core(TM) i7-11800H @ 2.30GHz
    Memory: 16.07 GB / 62.65 GB
    Container: Yes
    Shell: 5.1.16 - /bin/bash
  Binaries:
    Node: 18.15.0 - /usr/local/bin/node
    npm: 9.5.0 - /usr/local/bin/npm
  Browsers:
    Chrome: 111.0.5563.146
    Firefox: 110.0
  npmPackages:
    @sveltejs/adapter-auto: ^2.0.0 => 2.0.0 
    @sveltejs/kit: ^1.5.0 => 1.14.0 
    svelte: ^3.54.0 => 3.57.0 
    vite: ^4.2.0 => 4.2.1

Severity

annoyance

Additional Information

Maybe related to sveltejs/kit#5664

@Conduitry
Copy link
Member

Transferring this to the core Svelte repo, as this is an issue with all SSR, regardless of SvelteKit.

@Conduitry Conduitry transferred this issue from sveltejs/kit Mar 28, 2023
@Conduitry
Copy link
Member

Thank you very much for the report! This should be fixed now in Svelte 3.58.0.

@Uzume
Copy link

Uzume commented Sep 15, 2024

Doesn't #12989 also now fix this and #8434 is effectively redundant?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants