XSS Vulnerability in Live Preview

Question

Version: 0.16.22 Are you able to reproduce the bug from the demo? [ x] Yes Steps:Click Import HTMLInsert <img src="anyimagesource.gif" onload="alert(1)"/>The JS will be executed Having proper "sandbox" attribute on iframe could probably mitigate the problem.

artf · Accepted Answer

Well if you use GrapesJS and allow the possibility to insert custom HTML, yes, Self-XSS is possible. Unfortunately, there are few issues that do not allow me to fix this properlyI need to access the iframe's DOM in order to add/update inner components so, the editor won't work without sandbox="allow-same-origin".Running JS in the editor is one of its features (Components with JS) so to make them work I'd also need allow-scriptsHaving allow-same-origin and allow-scripts at the same time is almos...

rukavina · Answer

You are right, we thought sandbox="allow-same-origin" will do the job, but allow-scripts is also needed, and then it's like not using sandbox at all. But, what could be helpful anyway is to provide a way for grapejs users to somehow control attributes of the iframe canvas - that way they can take the responsibility and control sandbox value or other attributes. Thanks!

blinkybill · Answer

if you use content security policy http header you can get around a lot of XSS issues like this. but there is one issue with GrapesJS atm which is that it uses underscore.js, which includes a function with use of "eval" so you can't make the CSP header as secure as it should be

XSS Vulnerability in Live Preview

Question

Answers (3)

Related Questions and Answers

[Bug]: Unit select field missing on IE after click

BUG: Problem importing CSS and module in nodejs es6

[BUG] Can't remove style property on selected device

[BUG]: TypeError: Cannot read property 'get' of undefined

Paid Plugins That Match This Issue

Browse Plugin Categories