From 0f68a00c3c3203062bb5f99bc5362beeb816dcff Mon Sep 17 00:00:00 2001
From: Rich Harris <rich.harris@vercel.com>
Date: Fri, 23 Jan 2026 17:09:12 -0500
Subject: [PATCH] chore: defense-in-depth against script escapes (#17479)

* chore: defense-in-depth against script escapes

* Update packages/svelte/src/internal/server/dev.js
---
 packages/svelte/src/internal/server/dev.js | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/packages/svelte/src/internal/server/dev.js b/packages/svelte/src/internal/server/dev.js
index 4a6cdb8cf6..e953bac6ce 100644
--- a/packages/svelte/src/internal/server/dev.js
+++ b/packages/svelte/src/internal/server/dev.js
@@ -40,7 +40,12 @@ function print_error(renderer, message) {
 
 	// eslint-disable-next-line no-console
 	console.error(message);
-	renderer.head((r) => r.push(`<script>console.error(${JSON.stringify(message)})</script>`));
+	renderer.head((r) =>
+		r.push(
+			// ensure that `</script>` can't leak in to the script contents
+			`<script>console.error(${JSON.stringify(message).replaceAll('</', '<\\u002f')})</script>`
+		)
+	);
 }
 
 /**