You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It is possible to inject a script tag in data-url in the svelte-data script tag.
E.g. if we have the search term in the query params https://www.google.com/search?q=Svelte we can create a malicious term that inject a script tag while SSR.
Happens on Firefox, Brave and Chrome, but Safari seems to protect against my POC, however it should be possible to circumvent it in other scenarios.
Describe the bug
It is possible to inject a script tag in
data-url
in thesvelte-data
script tag.E.g. if we have the search term in the query params https://www.google.com/search?q=Svelte we can create a malicious term that inject a script tag while SSR.
Happens on Firefox, Brave and Chrome, but Safari seems to protect against my POC, however it should be possible to circumvent it in other scenarios.
Reproduction
Minimal example
term.js
index.svelte
Deployed POC using query params
POC Deployed: https://debug-app.vkrae.workers.dev/?search=%22%3E%3C/script%3E%3Cscript%3Ealert(1)%3C/script%3E%3Cscript%20type=%22application/json
POC Code: valterkraemer/debug-app@1cc04c8
Logs
No response
System Info
Severity
serious, but I can work around it
Additional Information
No response
The text was updated successfully, but these errors were encountered: