Cross-Site Scripting attack (XSS) on dev mode 404 page in SvelteKit

SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. "Unsanitized input from *the request URL* flows into `end`, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS)." The files `packages/kit/src/exports/vite/dev/index.js` and `packages/kit/src/exports/vite/utils.js` both contain user controllable data which under specific conditions may flow to dev mode pages. There is little to no expected impact. The Vite development is not exposed to the network by default and even if someone were able to trick a developer into executing an XSS against themselves, a development database should not have any sensitive data. None the less this issue has been addressed in version 2.8.3 and all users are advised to upgrade.

N/A

在Web页面生成时对输入的转义处理不恰当(跨站脚本)

SvelteKit 跨站脚本漏洞

SvelteKit是Svelte开源的一套Web 开发框架。 SvelteKit 2.8.3之前版本存在跨站脚本漏洞，该漏洞源于存在输入数据未净化和特定文件中用户可控数据流向问题，从而导致容易受到跨站脚本攻击。

N/A

N/A