Background

I’ve been working through Vercel’s bug bounty program, which explicitly calls out server-side rendering and compiler security as focus areas. Svelte is a Tier 1 target in that program, and since Svelte 5 introduced a significant rework of how components are compiled and …

I’m a customer of Hover for my domain name needs. However, that will be changing because I don’t believe that they take issues seriously.

The first security issue

I was browsing their site, looking for a new domain, and being the constant tinkerer I am, I entered a single quote into the …