Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Using @html is a security vulnerability #88

Open
olehmisar opened this issue Sep 5, 2023 · 1 comment
Open

Using @html is a security vulnerability #88

olehmisar opened this issue Sep 5, 2023 · 1 comment
Labels
enhancement New feature or request

Comments

@olehmisar
Copy link

olehmisar commented Sep 5, 2023
edited
Loading

Rendering un-sanitised html via @html is a potential xss (cross site scripting) vulnerability if that html is provided by a user. Consider removing support of html toast messages in favour of svelte component toast messages.

Warning! Svelte doesn't perform any sanitization of the expression inside {@html ...} before it gets inserted into the DOM. This isn't an issue if the content is something you trust like an article you wrote yourself. However if it's some untrusted user content, e.g. a comment on an article, then it's critical that you manually escape it, otherwise you risk exposing your users to Cross-Site Scripting (XSS) attacks.
-- https://learn.svelte.dev/tutorial/html-tags
@zerodevx
Copy link
Owner

zerodevx commented Sep 5, 2023

Yes. That will be done in the next release.

@zerodevx zerodevx added the enhancement New feature or request label Sep 5, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@zerodevx @olehmisar