Support Content-Security-Policy
Question
To reduce the possible attack surface if the editor is used in "hostile" environments (e.g. in SaaS platforms) support for CSP is required. This will also prevent problems like https://github.com/artf/grapesjs/issues/3082
At the moment, the only problem that prevents effective CSP rules is the use of new Function() in the GrapesJS code, which requires a CSP rule of unsafe-eval.
Is there a different way to implement that?
Answers (4)
ok then, I'll try to fix it for the next release.
mmm I'm not sure exactly how I'm able to fix it and what do you mean by is the use of new Function() in the GrapesJS code as there is no such a thing in the source?
Found out that it's in the dist files due to underscore.js template() method which uses new Function(). I think this will make it hard to replace or remove that dependency to enforce a CSP without 'unsafe-eval'.
Thanks for reporting this, @aimeos. Security and dependency issues are important. The GrapesJS team actively works on keeping dependencies up-to-date. For you right now: Run npm audit fix to see available patches Check for a newer GrapesJS version that may have already addressed this If available,...
Related Questions and Answers
Continue research with similar issue discussions.
Issue #3364
FEAT: @How to fix container size when we are drag element inside the container,Container will be expended according to the child dragged element. How we can auto size child element according to the parent container. Container should not be expend according to the child element. It's should be show scroll.
WARNING READ and FOLLOW next 3 steps, then REMOVE them before posting the issueFollow CONTRIBUTING Guidelines https://github.com/artf/grape...
Issue #3245
grapesjs-custom-code doesn't execute <script> from GrapesJS 0.16.30 and up
grapesjs-custom-code work fine with script tag until GrapesJS 0.16.27, after this version, no script content is executed. ✔️ Editor init()...
Issue #3313
There are lots of click required to make text editable, can we make text field editable on a single Click.
WARNING READ and FOLLOW next 3 steps, then REMOVE them before posting the issueFollow CONTRIBUTING Guidelines https://github.com/artf/grape...
Issue #3405
FEAT: An event to hook into before a block in dropped into the canvas
WARNING READ and FOLLOW next 3 steps, then REMOVE them before posting the issueFollow CONTRIBUTING Guidelines https://github.com/artf/grape...
Paid Plugins That Match This Issue
Curated by issue keywords and label relevance to help you ship faster.
Loading paid plugin recommendations...
Check the open-source GrapesJS plugins on GitHub or run a quick search in our free catalog.
Browse free plugins →Premium plugins ship with support, regular updates, and production-ready features — save days of integration work.
Browse premium plugins →Related tutorials
In-depth guides on the same topic.
Tutorial
GrapesJS vs Webflow vs Tilda (2026): Honest Comparison, Pricing & Which to Pick
GrapesJS vs Webflow vs Tilda compared head-to-head: real 2026 pricing, SEO features, code export, and which one actually fits your project
Tutorial
GrapesJS vs Gutenberg: How to Build a Custom WordPress Page Builder
Compare GrapesJS and Gutenberg, learn when to use each, and follow a step-by-step guide to build a production WordPress page builder with GrapesJS.
Browse Plugin Categories
Jump directly to plugin category pages on the marketplace.