Values are not escaped
@artf What are your plans because the vulnerability of GrapesJS to XSS is a pretty big security problem
Read full answer below βQuestion
GrapesJS code is open to XSS issues because values are inserted into DOM without escaping, e.g. https://github.com/artf/grapesjs/blob/dev/src/assetmanager/view/AssetImageView.js#L30 If model.getFilename() returns <img src=x onerror=alert(document.cookie)>.jpg, this can result in an account takeover. Instead the code should be for example: Similar issue here https://github.com/artf/grapesjs/blob/dev/src/assetmanager/view/AssetImageView.js#L15 and fix would be the same: To be one the save side, everything that is injected into HTML code must be escaped.
Answers (4)
@artf What are your plans because the vulnerability of GrapesJS to XSS is a pretty big security problem
Yeah thanks for the report @aimeos I'll fix it in the next version for sure
@artf The documentation also uses ${var} to insert variables into templates often. This should also be changed to avoid that developers introduce security issues too without knowing that.
Thanks for reporting this, @aimeos. Security and dependency issues are important. The GrapesJS team actively works on keeping dependencies up-to-date. For you right now: Run npm audit fix to see available patches Check for a newer GrapesJS version that may have already addressed this If available,...
Related Questions and Answers
Continue research with similar issue discussions.
Issue #3235
"component:update" does not trigger when components are moved
Taken from https://github.com/artf/grapesjs/blob/dev/src/editor/index.js#L33 component:update - Triggered when a component is updated (move...
Issue #4434
CSS Parser's shape doesn't allow the CSS property to be defined more than once.
GrapesJS version[X] I confirm to use the latest version of GrapesJSWhat browser are you using? AnyReproducible demo link https://grapesjs.c...
Issue #3618
Style manager size not setting to image control
WARNING READ and FOLLOW next 3 steps, then REMOVE them before posting the issue Follow CONTRIBUTING Guidelines https://github.com/artf/grap...
Issue #4059
Selector escape function doesn't support tailwindcss classes
GrapesJS version[X] I confirm to use the latest version of GrapesJSWhat browser are you using? Chrome v97Describe the bug At line https://g...
Paid Plugins That Match This Issue
Curated by issue keywords and label relevance to help you ship faster.
Loading paid plugin recommendations...
Check the open-source GrapesJS plugins on GitHub or run a quick search in our free catalog.
Browse free plugins βPremium plugins ship with support, regular updates, and production-ready features β save days of integration work.
Browse premium plugins βRelated tutorials
In-depth guides on the same topic.
Tutorial
Ship to Production Faster: Whatβs New in GrapesJS Shadcn
Supercharge your page builder! GrapesJS Shadcn adds live drag previews, rich text / commands, dynamic data, and canvas presets to ship to prod faster.
Tutorial
How to Build a Production GrapesJS Editor: The Complete Walkthrough of Brief, Preset, Plugins, and Services
A complete walkthrough of building a production GrapesJS editor: how to choose a preset, pick plugins, and scope setup services without burning a sprint.
Tutorial
GrapesJS Inline RTE Plugins Update: CKEditor 5 v0.1.4 and Froala Inline Text Editor
CKEditor 5 Inline for GrapesJS v0.1.4 fixes Studio SDK toolbar clipping, iframe injection and link balloon bugs. Compare with Froala Inline β both $69.
Browse Plugin Categories
Jump directly to plugin category pages on the marketplace.