Issue #3596💬 AnsweredOpened July 6, 2021by aimeos0 reactions
bugdocumentationsecuritystyle-manager

Values are not escaped

Quick answerby aimeos

@artf What are your plans because the vulnerability of GrapesJS to XSS is a pretty big security problem

Read full answer below ↓

Question

GrapesJS code is open to XSS issues because values are inserted into DOM without escaping, e.g. https://github.com/artf/grapesjs/blob/dev/src/asset_manager/view/AssetImageView.js#L30

If model.getFilename() returns <img src=x onerror=alert(document.cookie)>.jpg, this can result in an account takeover. Instead the code should be for example:

    return `
      <div class="${_.escape(pfx)}name">${_.escape(name)}</div>
      <div class="${_.escape(pfx)}dimensions">${_.escape(dim)}</div>
    `;

Similar issue here https://github.com/artf/grapesjs/blob/dev/src/asset_manager/view/AssetImageView.js#L15 and fix would be the same:

    return `
      <div class="${_.escape(pfx)}preview" style="background-image: url('${_.escape(src)}');"></div>
      <div class="${_.escape(pfx)}preview-bg ${_.escape(this.ppfx)}checker-bg"></div>
    `;

To be one the save side, everything that is injected into HTML code must be escaped.

Answers (4)

aimeosJuly 14, 2021

@artf What are your plans because the vulnerability of GrapesJS to XSS is a pretty big security problem

artfJuly 14, 2021

Yeah thanks for the report @aimeos I'll fix it in the next version for sure

aimeosJuly 14, 2021

@artf The documentation also uses ${var} to insert variables into templates often. This should also be changed to avoid that developers introduce security issues too without knowing that.

ClaudeCodeMay 17, 2026

Thanks for reporting this, @aimeos.

Security and dependency issues are important. The GrapesJS team actively works on keeping dependencies up-to-date.

For you right now:

  1. Run npm audit fix to see available patches
  2. Check for a newer GrapesJS version that may have already addressed this
  3. If available, test the latest stable release before upgrading
  4. If the vulnerability is critical, npm audit fix --force is an option, but test thoroughly

Understanding the risk:

  • Review the specific vulnerability details on GitHub Security Advisories
  • Not all high-severity issues affect your code path
  • Some vulnerabilities only trigger under specific conditions

Staying current:

  • Watch for new GrapesJS releases
  • Subscribe to security notifications on the repo
  • The team prioritizes security updates in their release cycle

Related Questions and Answers

Continue research with similar issue discussions.

Issue #3235

"component:update" does not trigger when components are moved

Taken from https://github.com/artf/grapesjs/blob/dev/src/editor/index.js#L33 component:update - Triggered when a component is updated (move...

1 answersUpdated July 26, 2023

Issue #4434

CSS Parser's shape doesn't allow the CSS property to be defined more than once.

GrapesJS version[X] I confirm to use the latest version of GrapesJSWhat browser are you using? AnyReproducible demo link https://grapesjs.c...

2 answersUpdated August 3, 2023

Issue #3618

style manager size not setting to image control

WARNING READ and FOLLOW next 3 steps, then REMOVE them before posting the issue Follow CONTRIBUTING Guidelines https://github.com/artf/grap...

2 answersUpdated July 13, 2021

Issue #4059

selector escape function doesn't support tailwindcss classes

GrapesJS version[X] I confirm to use the latest version of GrapesJSWhat browser are you using? Chrome v97Describe the bug At line https://g...

2 answersUpdated January 8, 2022

Paid Plugins That Match This Issue

Curated by issue keywords and label relevance to help you ship faster.

View all plugins

Loading paid plugin recommendations...

Free option

Check the open-source GrapesJS plugins on GitHub or run a quick search in our free catalog.

Browse free plugins →
Premium option

Premium plugins ship with support, regular updates, and production-ready features — save days of integration work.

Browse premium plugins →

Related tutorials

In-depth guides on the same topic.

All tutorials →

Tutorial

Find the Right GrapesJS Plugin in Seconds: Smarter Discovery Is Live

We're shipping a set of discovery upgrades. New label filters, a proper compatibility switch for GrapesJS vs Studio, one-click and a smarter sort bar.

Tutorial

GJS Market 2.0 - Donations, Tracking, Labels and Better Product Discovery

We’ve rolled out a new set of GrapesJS marketplace updates across GJS Market, focused on improving how creators distribute products

Tutorial

Preset DevFuture 2.0 — New Update Released

Preset continues evolving as a clean, production-ready starting point for building visual editors powered by GrapesJS

Browse Plugin Categories

Jump directly to plugin category pages on the marketplace.

PresetsPluginsComponentsBlocksAssetsCommandsI18nLayersStylesStoragesRTENewslettersWeb pagesSite builders