You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Elderjs newbie here. Not sure, but assume that this, or a similar approach is a realistic use-case. Where able to do an XSS injection by exploiting the hydration mechanism.
@valterkraemer Yep, 100% an XSS issue. The docs include this warning:
Security Note: Whatever you pass to hydrate-client will get written to the HTML shipped to the browser via JSON.stringify. There are XSS and security considerations of passing data to the client, only hydrate content you trust.
I don't imagine it being too complex to escape it if we wanted to make that less of a concern.
Elderjs newbie here. Not sure, but assume that this, or a similar approach is a realistic use-case. Where able to do an XSS injection by exploiting the hydration mechanism.
route.js
Blog.svelte
MyComponent.svelte
Loading the Blog page executes
alert('Yo!')
.Reported a similar issue in SvelteKit some months back sveltejs/kit#721
The text was updated successfully, but these errors were encountered: