From a3c372a147e961651eeedbab394b3a5714d9eca1 Mon Sep 17 00:00:00 2001 From: onlybugs05 Date: Sun, 3 May 2026 13:00:27 +0530 Subject: [PATCH 1/4] fix: prevent CSS injection in style directives --- .../svelte/src/internal/shared/attributes.js | 45 ++++++++++++++++++- 1 file changed, 44 insertions(+), 1 deletion(-) diff --git a/packages/svelte/src/internal/shared/attributes.js b/packages/svelte/src/internal/shared/attributes.js index 487a40baf3..df42c8a81f 100644 --- a/packages/svelte/src/internal/shared/attributes.js +++ b/packages/svelte/src/internal/shared/attributes.js @@ -89,6 +89,49 @@ export function to_class(value, hash, directives) { return classname === '' ? null : classname; } +/** + * @param {any} value + * @returns {string} + */ +function escape_style_value(value) { + var str = String(value); + var escaped = ''; + /** @type {boolean | '"' | "'"} */ + var in_str = false; + var in_apo = 0; + var in_comment = false; + + const len = str.length; + for (var i = 0; i < len; i++) { + var c = str[i]; + + if (in_comment) { + if (c === '/' && i > 0 && str[i - 1] === '*') { + in_comment = false; + } + } else if (in_str) { + if (c === in_str) { + in_str = false; + } + } else if (c === '/' && i + 1 < len && str[i + 1] === '*') { + in_comment = true; + } else if (c === '"' || c === "'") { + in_str = c; + } else if (c === '(') { + in_apo++; + } else if (c === ')') { + in_apo--; + } + + if (c === ';' && !in_comment && in_str === false && in_apo === 0) { + continue; + } + escaped += c; + } + + return escaped; +} + /** * * @param {Record} styles @@ -101,7 +144,7 @@ function append_styles(styles, important = false) { for (var key of Object.keys(styles)) { var value = styles[key]; if (value != null && value !== '') { - css += ' ' + key + ': ' + value + separator; + css += ' ' + key + ': ' + escape_style_value(value) + separator; } } From 04a39266b0686742934c703931c0d11dd28a84dd Mon Sep 17 00:00:00 2001 From: onlybugs05 Date: Sun, 3 May 2026 13:04:26 +0530 Subject: [PATCH 2/4] docs: add changeset for CSS injection fix --- .changeset/security-fix-css-injection.md | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 .changeset/security-fix-css-injection.md diff --git a/.changeset/security-fix-css-injection.md b/.changeset/security-fix-css-injection.md new file mode 100644 index 0000000000..398ddb15a5 --- /dev/null +++ b/.changeset/security-fix-css-injection.md @@ -0,0 +1,5 @@ +--- +"svelte": patch +--- + +fix: prevent CSS injection in style directives From f9e0a3461b9996b7412af76274b3e1d5aa4a5e10 Mon Sep 17 00:00:00 2001 From: onlybugs05 Date: Mon, 4 May 2026 14:18:44 +0530 Subject: [PATCH 3/4] fix: address CSS injection bypasses in style directives --- packages/svelte/src/internal/shared/attributes.js | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/packages/svelte/src/internal/shared/attributes.js b/packages/svelte/src/internal/shared/attributes.js index df42c8a81f..d029d6edbf 100644 --- a/packages/svelte/src/internal/shared/attributes.js +++ b/packages/svelte/src/internal/shared/attributes.js @@ -105,6 +105,14 @@ function escape_style_value(value) { for (var i = 0; i < len; i++) { var c = str[i]; + if (c === '\\') { + escaped += c; + if (i + 1 < len) { + escaped += str[++i]; + } + continue; + } + if (in_comment) { if (c === '/' && i > 0 && str[i - 1] === '*') { in_comment = false; @@ -120,7 +128,7 @@ function escape_style_value(value) { } else if (c === '(') { in_apo++; } else if (c === ')') { - in_apo--; + if (in_apo > 0) in_apo--; } if (c === ';' && !in_comment && in_str === false && in_apo === 0) { From 540df3a99a78c0f8eb54d5a88d838a9175200230 Mon Sep 17 00:00:00 2001 From: Jetti Hrushikesh Date: Sat, 16 May 2026 23:29:26 +0530 Subject: [PATCH 4/4] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- .changeset/security-fix-css-injection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.changeset/security-fix-css-injection.md b/.changeset/security-fix-css-injection.md index 398ddb15a5..41663b0c80 100644 --- a/.changeset/security-fix-css-injection.md +++ b/.changeset/security-fix-css-injection.md @@ -1,5 +1,5 @@ --- -"svelte": patch +'svelte': patch --- fix: prevent CSS injection in style directives