chore(deps): update dependency svelte to v5.55.9

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
svelte (source)	5.19.4 → 5.55.9

---

Release Notes

sveltejs/svelte (svelte)

v5.55.9

Compare Source

Patch Changes

• fix: don't unset batch when calling {#await ...} promise (#​18243)

• fix: promise-ify {#await await ...} expressions on the server and correctly hydrate them on the client (#​18243)

• fix: deduplicate dependencies that are added outside the init/update cycle (#​18243)

• fix: avoid false-positive batch invariant error (#​18246)

• fix: inline primitive constants in attribute values during SSR (#​18232)

v5.55.8

Compare Source

Patch Changes

• fix(print): handle svelte:body and fix keyframe percentage double-printing (#​18234)

• fix: execute uninitialized derived even if it's destroyed (#​18228)

• fix: use named symbols everywhere (#​18238)

• fix: don't run teardown effects when deriveds are unfreezed (#​18227)

• fix: unset context synchronously in run (#​18236)

v5.55.7

Compare Source

Patch Changes

• fix: prevent XSS on hydratable from user contents (a16ebc67bbcf8f708360195687e1b2719463e1a4)

• chore: bump devalue (#​18219)

• fix: disallow empty attribute names during SSR (547853e2406a2147ad7fb5ffeba95b01bd9642da)

• fix: harden regex (d2375e2ebcab5c88feb5652f1a9d621b8f06b259)

• fix: move Svelte runtime properties to symbols (e1cbbd96441e82c9eb8a23a2903c0d06d3cda991)

v5.55.6

Compare Source

Patch Changes

• fix: leave stale promises to wait for a later resolution, instead of rejecting (#​18180)

• fix: keep dependencies of $state.eager/pending (#​18218)

• fix: reapply context after transforming error during SSR (#​18099)

• fix: don't rebase just-created batches (#​18117)

• chore: allow null for pending in typings (#​18201)

• fix: flush eager effects in production (#​18107)

• fix: rethrow error of failed iterable after calling return() (#​18169)

• fix: account for proxified instance when updating bind:this (#​18147)

• fix: ensure scheduled batch is flushed if not obsolete (#​18131)

• fix: resolve stale deriveds with latest value (#​18167)

• chore: remove unnecessary increment_pending calls (#​18183)

• fix: correctly compile component member expressions for SSR (#​18192)

• fix: reset source.updated stack traces after flush (#​18196)

• fix: replacing async 'blocking' strategy with 'merging' (#​18205)

• fix: allow @debug tags to reference awaited variables (#​18138)

• fix: re-run fallback props if dependencies update (#​18146)

• fix: abort running obsolete async branches (#​18118)

• fix: ignore comments when reading CSS values (#​18153)

• fix: wrap Promise.all in save during SSR (#​18178)

• fix: ignore false-positive errors of $inspect dependencies (#​18106)

v5.55.5

Compare Source

Patch Changes

• fix: don't mark deriveds while an effect is updating (#​18124)

• fix: do not dispatch introstart event with animation of animate directive (#​18122)

v5.55.4

Compare Source

Patch Changes

• fix: never mark a child effect root as inert (#​18111)

• fix: reset context after waiting on blockers of @const expressions (#​18100)

• fix: keep flushing new eager effects (#​18102)

v5.55.3

Compare Source

Patch Changes

• fix: ensure proper HMR updates for dynamic components (#​18079)

• fix: correctly calculate @const blockers (#​18039)

• fix: freeze deriveds once their containing effects are destroyed (#​17921)

• fix: defer error boundary rendering in forks (#​18076)

• fix: avoid false positives for reactivity loss warning (#​18088)

v5.55.2

Compare Source

Patch Changes

• fix: invalidate @const tags based on visible references in legacy mode (#​18041)

• fix: handle parens in template expressions more robustly (#​18075)

• fix: disallow -- in idPrefix (#​18038)

• fix: correct types for ontoggle on <details> elements (#​18063)

• fix: don't override $destroy/set/on instance methods in dev mode (#​18034)

• fix: unskip branches of earlier batches after commit (#​18048)

• fix: never set derived.v inside fork (#​18037)

• fix: skip rebase logic in non-async mode (#​18040)

• fix: don't reset status of uninitialized deriveds (#​18054)

v5.55.1

Compare Source

Patch Changes

• fix: correctly handle bindings on the server (#​18009)

• fix: prevent hydration error on async {@​html ...} (#​17999)

• fix: cleanup superTypeParameters in ClassDeclarations/ClassExpression (#​18015)

• fix: improve duplicate module import error message (#​18016)

• fix: reschedule new effects in prior batches (#​18021)

v5.55.0

Compare Source

Minor Changes

• feat: export TweenOptions, SpringOptions, SpringUpdateOptions and Updater from svelte/motion (#​17967)

Patch Changes

• fix: ensure HMR wrapper forwards correct start/end nodes to active effect (#​17985)

v5.54.1

Compare Source

Patch Changes

• fix: hydration comments during hmr (#​17975)

• fix: null out effect.b in destroy_effect (#​17980)

• fix: group sync statements (#​17977)

• fix: defer batch resolution until earlier intersecting batches have committed (#​17162)

• fix: properly invoke iterator.return() during reactivity loss check (#​17966)

• fix: remove trailing semicolon from {@​const} tag printer (#​17962)

v5.54.0

Compare Source

Minor Changes

• feat: allow css, runes, customElement compiler options to be functions (#​17951)

Patch Changes

• fix: reinstate reactivity loss tracking (#​17801)

v5.53.13

Compare Source

Patch Changes

• fix: ensure $inspect after top level await doesn't break builds (#​17943)

• fix: resume inert effects when they come from offscreen (#​17942)

• fix: don't eagerly access not-yet-initialized functions in template (#​17938)

• fix: discard batches made obsolete by commit (#​17934)

• fix: ensure "is standalone child" is correctly reset (#​17944)

• fix: remove nodes in boundary when work is pending and HMR is active (#​17932)

v5.53.12

Compare Source

Patch Changes

• fix: update select.__value on change (#​17745)

• chore: add invariant helper for debugging (#​17929)

• fix: ensure deriveds values are correct across batches (#​17917)

• fix: handle async RHS in assignment_value_stale (#​17925)

• fix: avoid traversing clean roots (#​17928)

v5.53.11

Compare Source

Patch Changes

• fix: remove untrack circular dependency (#​17910)

• fix: recover from errors that leave a corrupted effect tree (#​17888)

• fix: properly lazily evaluate RHS when checking for assignment_value_stale (#​17906)

• fix: resolve boundary in correct batch when hydrating (#​17914)

• chore: rebase batches after process, not during (#​17900)

v5.53.10

Compare Source

Patch Changes

• fix: re-process batch if new root effects were scheduled (#​17895)

v5.53.9

Compare Source

Patch Changes

• fix: better bind:this cleanup timing (#​17885)

v5.53.8

Compare Source

Patch Changes

• fix: {@​html} no longer duplicates content inside contenteditable elements (#​17853)

• fix: don't access inert block effects (#​17882)

• fix: handle asnyc updates within pending boundary (#​17873)

• perf: avoid re-traversing the effect tree after $: assignments (#​17848)

• chore: simplify scheduling logic (#​17805)

v5.53.7

Compare Source

Patch Changes

• fix: correctly add __svelte_meta after else-if chains (#​17830)

• perf: cache element interactivity and source line splitting in compiler (#​17839)

• chore: avoid rescheduling effects during branch commit (#​17837)

• perf: optimize CSS selector pruning (#​17846)

• fix: preserve original boundary errors when keyed each rows are removed during async updates (#​17843)

• perf: avoid O(n²) name scanning in scope generate and unique (#​17844)

• fix: preserve each items that are needed by pending batches (#​17819)

v5.53.6

Compare Source

Patch Changes

• perf: optimize parser hot paths for faster compilation (#​17811)

• fix: SvelteMap incorrectly handles keys with undefined values (#​17826)

• fix: SvelteURL search setter now returns the normalized value, matching native URL behavior (#​17828)

• fix: visit synthetic value node during ssr (#​17824)

• fix: always case insensitive event handlers during ssr (#​17822)

• chore: more efficient effect scheduling (#​17808)

• perf: optimize compiler analysis phase (#​17823)

• fix: skip redundant batch.apply (#​17816)

• chore: null out current_batch before committing branches (#​17809)

v5.53.5

Compare Source

Patch Changes

• fix: escape innerText and textContent bindings of contenteditable (0df5abcae223058ceb95491470372065fb87951d)

• fix: sanitize transformError values prior to embedding in HTML comments (0298e979371bb583855c9810db79a70a551d22b9)

v5.53.4

Compare Source

Patch Changes

• fix: set server context after async transformError (#​17799)

• fix: hydrate if blocks correctly (#​17784)

• fix: handle default parameters scope leaks (#​17788)

• fix: prevent flushed effects from running again (#​17787)

v5.53.3

Compare Source

Patch Changes

• fix: render :catch of #await block with correct key (#​17769)

• chore: pin aria-query@​5.3.1 (#​17772)

• fix: make string coercion consistent to toString (#​17774)

v5.53.2

Compare Source

Patch Changes

• fix: update expressions on server deriveds (#​17767)

• fix: further obfuscate node:crypto import from overzealous static analysis (#​17763)

v5.53.1

Compare Source

Patch Changes

• fix: handle shadowed function names correctly (#​17753)

v5.53.0

Compare Source

Minor Changes

• feat: allow comments in tags (#​17671)

• feat: allow error boundaries to work on the server (#​17672)

Patch Changes

• fix: use TrustedHTML to test for customizable <select> support, where necessary (#​17743)

• fix: ensure head effects are kept in the effect tree (#​17746)

• chore: deactivate current_batch by default in unset_context (#​17738)

v5.52.0

Compare Source

Minor Changes

• feat: support TrustedHTML in {@​html} expressions (#​17701)

Patch Changes

• fix: repair dynamic component truthy/falsy hydration mismatches (#​17737)

• fix: re-run non-render-bound deriveds on the server (#​17674)

v5.51.5

Compare Source

Patch Changes

• fix: check to make sure svelte:element tags are valid during SSR (73098bb26c6f06e7fd1b0746d817d2c5ee90755f)

• fix: misc option escaping and backwards compatibility (#​17741)

• fix: strip event handlers during SSR (a0c7f289156e9fafaeaf5ca14af6c06fe9b9eae5)

• fix: replace usage of for in with for of Object.keys (f89c7ddd7eebaa1ef3cc540400bec2c9140b330c)

• fix: always escape option body in SSR (f7c80da18c215e3727c2a611b0b8744cc6e504c5)

• chore: upgrade devalue (#​17739)

v5.51.4

Compare Source

Patch Changes

• chore: proactively defer effects in pending boundary (#​17734)

• fix: detect and error on non-idempotent each block keys in dev mode (#​17732)

v5.51.3

Compare Source

Patch Changes

• fix: prevent event delegation logic conflicting between svelte instances (#​17728)

• fix: treat CSS attribute selectors as case-insensitive for HTML enumerated attributes (#​17712)

• fix: locate Rollup annontaion friendly to JS downgraders (#​17724)

• fix: run effects in pending snippets (#​17719)

v5.51.2

Compare Source

Patch Changes

• fix: take async into consideration for dev delegated handlers (#​17710)

• fix: emit state_referenced_locally warning for non-destructured props (#​17708)

v5.51.1

Compare Source

Patch Changes

• fix: don't crash on undefined document.contentType (#​17707)

• fix: use symbols for encapsulated event delegation (#​17703)

v5.51.0

Compare Source

Minor Changes

• feat: Use TrustedTypes for HTML handling where supported (#​16271)

Patch Changes

• fix: sanitize template-literal-special-characters in SSR attribute values (#​17692)

• fix: follow-up formatting in print() — flush block-level elements into separate sequences (#​17699)

• fix: preserve delegated event handlers as long as one or more root components are using them (#​17695)

v5.50.3

Compare Source

Patch Changes

• fix: take into account nodeName case sensitivity on XHTML pages (#​17689)

• fix: render multiple and selected attributes as empty strings for XHTML compliance (#​17689)

• fix: always lowercase HTML elements, for XHTML compliance (#​17664)

• fix: freeze effects-inside-deriveds when disconnecting, unfreeze on reconnect (#​17682)

• fix: propagate $effect errors to <svelte:boundary> (#​17684)

v5.50.2

Compare Source

Patch Changes

• fix: resolve effect_update_depth_exceeded when using bind:value on <select> with derived state in legacy mode (#​17645)

• fix: don't swallow DOMException when media.play() fails in bind:paused (#​17656)

• chore: provide proper public type for parseCss result (#​17654)

• fix: robustify blocker calculation (#​17676)

• fix: reduce if block nesting (#​17662)

v5.50.1

Compare Source

Patch Changes

• fix: render boolean attribute values as empty strings for XHTML compliance (#​17648)

• fix: prevent async render tag hydration mismatches (#​17652)

v5.50.0

Compare Source

Minor Changes

• feat: allow use of createContext when instantiating components programmatically (#​17575)

Patch Changes

• fix: ensure infinite effect loops are cleared after flushing (#​17601)

• fix: allow {#key NaN} (#​17642)

• fix: detect store in each block expression regardless of AST shape (#​17636)

• fix: treat <menu> like <ul>/<ol> for a11y role checks (#​17638)

• fix: add vite-ignore comment inside dynamic crypto import (#​17623)

• chore: wrap JSDoc URLs in @see and @link tags (#​17617)

• fix: properly hydrate already-resolved async blocks (#​17641)

• fix: emit each_key_duplicate error in production (#​16724)

• fix: exit resolved async blocks on correct node when hydrating (#​17640)

v5.49.2

Compare Source

Patch Changes

• chore: remove SvelteKit data attributes from elements.d.ts (#​17613)

• fix: avoid erroneous async derived expressions for blocks (#​17604)

• fix: avoid Cloudflare warnings about not having the "node:crypto" module (#​17612)

• fix: reschedule effects inside unskipped branches (#​17604)

v5.49.1

Compare Source

Patch Changes

• fix: merge consecutive large text nodes (#​17587)

• fix: only create async functions in SSR output when necessary (#​17593)

• fix: properly separate multiline html blocks from each other in print() (#​17319)

• fix: prevent unhandled exceptions arising from dangling promises in <script> (#​17591)

v5.49.0

Compare Source

Minor Changes

• feat: allow passing ShadowRootInit object to custom element shadow option (#​17088)

Patch Changes

• fix: throw for unset createContext get on the server (#​17580)

• fix: reset effects inside skipped branches (#​17581)

• fix: preserve old dependencies when updating reaction inside fork (#​17579)

• fix: more conservative assignment_value_stale warnings (#​17574)

• fix: disregard popover elements when determining whether an element has content (#​17367)

• fix: fire introstart/outrostart events after delay, if specified (#​17567)

• fix: increment signal versions when discarding forks (#​17577)

v5.48.5

Compare Source

Patch Changes

• fix: run boundary onerror callbacks in a microtask, in case they result in the boundary's destruction (#​17561)

• fix: prevent unintended exports from namespaces (#​17562)

• fix: each block breaking with effects interspersed among items (#​17550)

v5.48.4

Compare Source

Patch Changes

• fix: avoid duplicating escaped characters in CSS AST (#​17554)

v5.48.3

Compare Source

Patch Changes

• fix: hydration failing with settled async blocks (#​17539)

• fix: add pointer and touch events to a11y_no_static_element_interactions warning (#​17551)

• fix: handle false dynamic components in SSR (#​17542)

• fix: avoid unnecessary block effect re-runs after async work completes (#​17535)

• fix: avoid using dev-mode array.includes wrapper on internal array checks (#​17536)

v5.48.2

Compare Source

Patch Changes

• fix: export wait function from internal client index (#​17530)

v5.48.1

Compare Source

Patch Changes

• fix: hoist snippets above const in same block (#​17516)

• fix: properly hydrate await in {@​html} (#​17528)

• fix: batch resolution of async work (#​17511)

• fix: account for empty statements when visiting in transform async (#​17524)

• fix: avoid async overhead for already settled promises (#​17461)

• fix: better code generation for const tags with async dependencies (#​17518)

v5.48.0

Compare Source

Minor Changes

• feat: export parseCss from svelte/compiler (#​17496)

Patch Changes

• fix: handle non-string values in svelte:element this attribute (#​17499)

• fix: faster deduplication of dependencies (#​17503)

v5.47.1

Compare Source

Patch Changes

• fix: trigger selectedcontent reactivity (#​17486)

v5.47.0

Compare Source

Minor Changes

• feat: customizable <select> elements (#​17429)

Patch Changes

• fix: mark subtree of svelte boundary as dynamic (#​17468)

• fix: don't reset static elements with debug/snippets (#​17477)

v5.46.4

Compare Source

Patch Changes

• fix: use devalue.uneval to serialize hydratable keys (ef81048e238844b729942441541d6dcfe6c8ccca)

v5.46.3

Compare Source

Patch Changes

• fix: reconnect clean deriveds when they are read in a reactive context (#​17362)

• fix: don't transform references of function declarations in legacy mode (#​17431)

• fix: notify deriveds of changes to sources inside forks (#​17437)

• fix: always reconnect deriveds in get, when appropriate (#​17451)

• fix: prevent derives without dependencies from ever re-running (286b40c4526ce9970cb81ddd5e65b93b722fe468)

• fix: correctly update writable deriveds inside forks (#​17437)

• fix: remove $inspect calls after await expressions when compiling for production server code (#​17407)

• fix: clear batch between runs (#​17424)

• fix: adjust loc property of Program nodes created from <script> elements (#​17428)

• fix: don't revert source to UNINITIALIZED state when time travelling (#​17409)

v5.46.1

Compare Source

Patch Changes

• fix: type currentTarget in on function (#​17370)

• fix: skip static optimisation for stateless deriveds after await (#​17389)

• fix: prevent infinite loop when HMRing a component with an await (#​17380)

v5.46.0

Compare Source

Minor Changes

• feat: Add csp option to render(...), and emit hashes when using hydratable (#​17338)

v5.45.10

Compare Source

Patch Changes

• fix: race condition when importing AsyncLocalStorage (#​17350)

v5.45.9

Compare Source

Patch Changes

• fix: correctly reschedule deferred effects when reviving a batch after async work (#​17332)

• fix: correctly print !doctype during print (#​17341)

v5.45.8

Compare Source

Patch Changes

• fix: set AST root.start to 0 and root.end to template.length (#​17125)

• fix: prevent erroneous state_referenced_locally warnings on prop fallbacks (#​17329)

v5.45.7

Compare Source

Patch Changes

• fix: Add <textarea wrap="off"> as a valid attribute value (#​17326)

• fix: add more css selectors to print() (#​17330)

• fix: don't crash on hydratable serialization failure (#​17315)

v5.45.6

Compare Source

Patch Changes

• fix: don't issue a11y warning for <video> without captions if it has no src (#​17311)

• fix: add srcObject to permitted <audio>/<video> attributes (#​17310)

v5.45.5

Compare Source

Patch Changes

• fix: correctly reconcile each blocks after outroing branches are resumed (#​17258)

• fix: destroy each items after siblings are resumed (#​17258)

v5.45.4

Compare Source

Patch Changes

• chore: move DOM-related effect properties to effect.nodes (#​17293)

• fix: allow $props.id() to occur after an await (#​17285)

• fix: keep reactions up to date even when read outside of effect (#​17295)

v5.45.3

Compare Source

Patch Changes

• add props to state_referenced_locally (#​17266)

• fix: preserve node locations for better sourcemaps (#​17269)

• fix: handle cross-realm Promises in hydratable (#​17284)

v5.45.2

Compare Source

Patch Changes

• fix: array destructuring after await (#​17254)

• fix: throw on invalid {@​tag}s (#​17256)

v5.45.1

Compare Source

Patch Changes

• fix: link offscreen items and last effect in each block correctly (#​17240)

v5.45.0

Compare Source

Minor Changes

• feat: add print(...) function (#​16188)

v5.44.1

Compare Source

Patch Changes

• fix: await blockers before initialising const (#​17226)

• fix: link offscreen items and last effect in each block correctly (#​17244)

• fix: generate correct code for simple destructurings (#​17237)

• fix: ensure each block animations don't mess with transitions (#​17238)

v5.44.0

Compare Source

Minor Changes

• feat: hydratable API (#​17154)

v5.43.15

Compare Source

Patch Changes

• fix: don't execute attachments and attribute effects eagerly (#​17208)

• chore: lift "flushSync cannot be called in effects" restriction (#​17139)

• fix: store forked derived values (#​17212)

v5.43.14

Compare Source

Patch Changes

• fix: correctly migrate named self closing slots (#​17199)

• fix: error at compile time instead of at runtime on await expressions inside bindings/transitions/animations/attachments (#​17198)

• fix: take async blockers into account for bindings/transitions/animations/attachments (#​17198)

v5.43.13

Compare Source

Patch Changes

• fix: don't set derived values during time traveling (#​17200)

v5.43.12

Compare Source

Patch Changes

• fix: maintain correct linked list of effects when updating each blocks (#​17191)

v5.43.11

Compare Source

Patch Changes

• perf: don't use tracing overeager during dev (#​17183)

• fix: don't cancel transition of already outroing elements (#​17186)

v5.43.10

Compare Source

Patch Changes

• fix: avoid other batches running with queued root effects of main batch (#​17145)

v5.43.9

Compare Source

Patch Changes

• fix: correctly handle functions when determining async blockers (#​17137)

• fix: keep deriveds reactive after their original parent effect was destroyed (#​17171)

• fix: ensure eager effects don't break reactions chain (#​17138)

• fix: ensure async @const in boundary hydrates correctly (#​17165)

• fix: take blockers into account when creating #await blocks (#​17137)

• fix: parallelize async @consts in the template (#​17165)

v5.43.8

Compare Source

Patch Changes

• fix: each block losing reactivity when items removed while promise pending (#​17150)

v5.43.7

Compare Source

Patch Changes

• fix: properly defer document title until async work is complete (#​17158)

• fix: ensure deferred effects can be rescheduled later on (#​17147)

• fix: take blockers of components into account (#​17153)

v5.43.6

Compare Source

Patch Changes

• fix: don't deactivate other batches (#​17132)

v5.43.5

Compare Source

Patch Changes

• fix: ensure async static props/attributes are awaited (#​17120)

• fix: wait on dependencies of async bindings (#​17120)

• fix: await dependencies of style directives (#​17120)

v5.43.4

Compare Source

Patch Changes

• chore: simplify connection/disconnection logic (#​17105)

• fix: reconnect deriveds to effect tree when time-travelling (#​17105)

v5.43.3

Compare Source

Patch Changes

• fix: ensure fork always accesses correct values (#​17098)

• fix: change title only after any pending work has completed (#​17061)

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
todo-sveltekit	Ready	Preview, Comment	May 20, 2026 10:59am

[secure-code-warrior-for-github]

Micro-Learning Topic: External entity injection (Detected by phrase)

Matched on "xXe"

What is this? (2min video)

An XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, server-side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts.

Try a challenge in Secure Code Warrior

Helpful references

• OWASP XML External Entity (XXE) Processing - OWASP community page with comprehensive information about XML external entity attacks, and links to various OWASP resources to help detect or prevent it.
• MSDN Security Briefs - XML Denial of Service Attacks and Defenses - An MSDN Magazine article that goes into detail on XML entity attacks and how to defend against them.
• OWASP XML External Entity Prevention Cheat Sheet - This article is focused on providing clear, simple, actionable guidance for preventing XML external entity flaws in your applications.

[secure-code-warrior-for-github]

Micro-Learning Topic: Server-side request forgery (Detected by phrase)

Matched on "sSrf"

What is this? (2min video)

Server-Side Request Forgery (SSRF) vulnerabilities are caused when an attacker can supply or modify a URL that reads or sends data to the server. The attacker can create a malicious request with a manipulated URL, when this request reaches the server, the server-side code executes the exploit URL causing the attacker to be able to read data from services that shouldn't be exposed.

Try a challenge in Secure Code Warrior

[secure-code-warrior-for-github]

Micro-Learning Topic: Race condition (Detected by phrase)

Matched on "race condition"

What is this? (2min video)

A race condition is a flaw that produces an unexpected result when the timing of actions impact other actions.

Try a challenge in Secure Code Warrior

[secure-code-warrior-for-github]

Micro-Learning Topic: Cross-site scripting (Detected by phrase)

Matched on "XSS"

Cross-site scripting vulnerabilities occur when unescaped input is rendered into a page displayed to the user. When HTML or script is included in the input, it will be processed by a user's browser as HTML or script and can alter the appearance of the page or execute malicious scripts in their user context.

Try a challenge in Secure Code Warrior

Helpful references

• Prevent Cross-Site Scripting (XSS) in ASP.NET Core - A detailed Microsoft article on how to prevent cross-site scripting in ASP.NET Core.
• OWASP Cross Site Scripting (XSS) Software Attack - OWASP community page with comprehensive information about cross site scripting, and links to various OWASP resources to help detect or prevent it.
• OWASP Cross Site Scripting Prevention Cheat Sheet - This article provides a simple positive model for preventing XSS using output encoding properly.