Issue #3596Opened July 6, 2021by aimeos0 reactions
security

BUG: Values are not escaped

Question

GrapesJS code is open to XSS issues because values are inserted into DOM without escaping, e.g. https://github.com/artf/grapesjs/blob/dev/src/asset_manager/view/AssetImageView.js#L30

If model.getFilename() returns <img src=x onerror=alert(document.cookie)>.jpg, this can result in an account takeover. Instead the code should be for example:

    return `
      <div class="${_.escape(pfx)}name">${_.escape(name)}</div>
      <div class="${_.escape(pfx)}dimensions">${_.escape(dim)}</div>
    `;

Similar issue here https://github.com/artf/grapesjs/blob/dev/src/asset_manager/view/AssetImageView.js#L15 and fix would be the same:

    return `
      <div class="${_.escape(pfx)}preview" style="background-image: url('${_.escape(src)}');"></div>
      <div class="${_.escape(pfx)}preview-bg ${_.escape(this.ppfx)}checker-bg"></div>
    `;

To be one the save side, everything that is injected into HTML code must be escaped.

Answers (3)

aimeosJuly 14, 20210 reactions

@artf What are your plans because the vulnerability of GrapesJS to XSS is a pretty big security problem

artfJuly 14, 20210 reactions

Yeah thanks for the report @aimeos I'll fix it in the next version for sure

aimeosJuly 14, 20210 reactions

@artf The documentation also uses ${var} to insert variables into templates often. This should also be changed to avoid that developers introduce security issues too without knowing that.

Related Questions and Answers

Continue research with similar issue discussions.

Issue #3283

BUG: BlocksView rendering is being called twice

https://github.com/artf/grapesjs/blob/b199083f6a6128ecff41d20865493294f71fe0a1/src/block_manager/view/BlocksView.js#L186 The Block Manager...

3 answersUpdated March 11, 2021

Issue #2622

[Bug]: Asset manager addType function not working after reload page

am.addType('svg-icon', { view: { // getPreview() and getInfo() are just few helpers, you can // override the entire template with template(...

1 answersUpdated March 7, 2020

Issue #1341

[Question] How to work with Custom Components

Hello, I have some questions and issues about and with the grapes editorProblem 1 In a component, which class is there extended? Is it real...

3 answersUpdated July 10, 2019

Issue #4735

BUG: resetId types mismatch

GrapesJS version [X] I confirm to use the latest version of GrapesJS What browser are you using? n/a Reproducible demo link n/a Describe th...

2 answersUpdated November 18, 2022

Paid Plugins That Match This Issue

Curated by issue keywords and label relevance to help you ship faster.

View all plugins

Loading paid plugin recommendations...

Browse Plugin Categories

Jump directly to plugin category pages on the marketplace.

PresetsPluginsComponentsBlocksAssetsCommandsI18nLayersStylesStoragesRTENewslettersWeb pagesSite builders