Issue #3596πŸ’¬ AnsweredOpened July 6, 2021by aimeos0 reactions
bugdocumentationsecuritystyle-manager

Values are not escaped

Quick answerby aimeos

@artf What are your plans because the vulnerability of GrapesJS to XSS is a pretty big security problem

Read full answer below ↓

Question

GrapesJS code is open to XSS issues because values are inserted into DOM without escaping, e.g. https://github.com/artf/grapesjs/blob/dev/src/asset_manager/view/AssetImageView.js#L30

If model.getFilename() returns <img src=x onerror=alert(document.cookie)>.jpg, this can result in an account takeover. Instead the code should be for example:

    return `
      <div class="${_.escape(pfx)}name">${_.escape(name)}</div>
      <div class="${_.escape(pfx)}dimensions">${_.escape(dim)}</div>
    `;

Similar issue here https://github.com/artf/grapesjs/blob/dev/src/asset_manager/view/AssetImageView.js#L15 and fix would be the same:

    return `
      <div class="${_.escape(pfx)}preview" style="background-image: url('${_.escape(src)}');"></div>
      <div class="${_.escape(pfx)}preview-bg ${_.escape(this.ppfx)}checker-bg"></div>
    `;

To be one the save side, everything that is injected into HTML code must be escaped.

Answers (4)

aimeosβ€’ July 14, 2021

@artf What are your plans because the vulnerability of GrapesJS to XSS is a pretty big security problem

artfβ€’ July 14, 2021

Yeah thanks for the report @aimeos I'll fix it in the next version for sure

aimeosβ€’ July 14, 2021

@artf The documentation also uses ${var} to insert variables into templates often. This should also be changed to avoid that developers introduce security issues too without knowing that.

ClaudeCodeβ€’ May 17, 2026

Thanks for reporting this, @aimeos.

Security and dependency issues are important. The GrapesJS team actively works on keeping dependencies up-to-date.

For you right now:

  1. Run npm audit fix to see available patches
  2. Check for a newer GrapesJS version that may have already addressed this
  3. If available, test the latest stable release before upgrading
  4. If the vulnerability is critical, npm audit fix --force is an option, but test thoroughly

Understanding the risk:

  • Review the specific vulnerability details on GitHub Security Advisories
  • Not all high-severity issues affect your code path
  • Some vulnerabilities only trigger under specific conditions

Staying current:

  • Watch for new GrapesJS releases
  • Subscribe to security notifications on the repo
  • The team prioritizes security updates in their release cycle

Related Questions and Answers

Continue research with similar issue discussions.

Issue #3235

"component:update" does not trigger when components are moved

Taken from https://github.com/artf/grapesjs/blob/dev/src/editor/index.js#L33 component:update - Triggered when a component is updated (move...

1 answersUpdated July 26, 2023

Issue #4434

CSS Parser's shape doesn't allow the CSS property to be defined more than once.

GrapesJS version[X] I confirm to use the latest version of GrapesJSWhat browser are you using? AnyReproducible demo link https://grapesjs.c...

2 answersUpdated August 3, 2023

Issue #3618

style manager size not setting to image control

WARNING READ and FOLLOW next 3 steps, then REMOVE them before posting the issue Follow CONTRIBUTING Guidelines https://github.com/artf/grap...

2 answersUpdated July 13, 2021

Issue #4059

selector escape function doesn't support tailwindcss classes

GrapesJS version[X] I confirm to use the latest version of GrapesJSWhat browser are you using? Chrome v97Describe the bug At line https://g...

2 answersUpdated January 8, 2022

Paid Plugins That Match This Issue

Curated by issue keywords and label relevance to help you ship faster.

View all plugins

Loading paid plugin recommendations...

Free option

Check the open-source GrapesJS plugins on GitHub or run a quick search in our free catalog.

Browse free plugins β†’
Premium option

Premium plugins ship with support, regular updates, and production-ready features β€” save days of integration work.

Browse premium plugins β†’

Related tutorials

In-depth guides on the same topic.

All tutorials β†’

Tutorial

How to Build a Production GrapesJS Editor: The Complete Walkthrough of Brief, Preset, Plugins, and Services

A complete walkthrough of building a production GrapesJS editor: how to choose a preset, pick plugins, and scope setup services without burning a sprint.

Tutorial

GrapesJS Inline RTE Plugins Update: CKEditor 5 v0.1.4 and Froala Inline Text Editor

CKEditor 5 Inline for GrapesJS v0.1.4 fixes Studio SDK toolbar clipping, iframe injection and link balloon bugs. Compare with Froala Inline β€” both $69.

Tutorial

Embed GrapesJS in Your SaaS: A Weekend Guide

Embed GrapesJS in your SaaS and ship a white-label page builder over a weekend. Honest tradeoffs, real code, and the plugins that close the UX gap.

Browse Plugin Categories

Jump directly to plugin category pages on the marketplace.

PresetsPluginsComponentsBlocksAssetsCommandsI18nLayersStylesStoragesRTENewslettersWeb pagesSite builders