Issue #3596πŸ’¬ AnsweredOpened Jul 6, 2021by aimeos0 reactions

Values are not escaped

Quick answerby aimeos

@artf What are your plans because the vulnerability of GrapesJS to XSS is a pretty big security problem

Read full answer below ↓

Question

GrapesJS code is open to XSS issues because values are inserted into DOM without escaping, e.g. https://github.com/artf/grapesjs/blob/dev/src/assetmanager/view/AssetImageView.js#L30 If model.getFilename() returns <img src=x onerror=alert(document.cookie)>.jpg, this can result in an account takeover. Instead the code should be for example: Similar issue here https://github.com/artf/grapesjs/blob/dev/src/assetmanager/view/AssetImageView.js#L15 and fix would be the same: To be one the save side, everything that is injected into HTML code must be escaped.

Answers (4)

aimeosβ€’ Jul 14, 2021

@artf What are your plans because the vulnerability of GrapesJS to XSS is a pretty big security problem

artfβ€’ Jul 14, 2021

Yeah thanks for the report @aimeos I'll fix it in the next version for sure

aimeosβ€’ Jul 14, 2021

@artf The documentation also uses ${var} to insert variables into templates often. This should also be changed to avoid that developers introduce security issues too without knowing that.

GJSBlockβ€’ May 17, 2026

Thanks for reporting this, @aimeos. Security and dependency issues are important. The GrapesJS team actively works on keeping dependencies up-to-date. For you right now: Run npm audit fix to see available patches Check for a newer GrapesJS version that may have already addressed this If available,...

Related Questions and Answers

Continue research with similar issue discussions.

Paid Plugins That Match This Issue

Curated by issue keywords and label relevance to help you ship faster.

View all plugins

Loading paid plugin recommendations...

Free option

Check the open-source GrapesJS plugins on GitHub or run a quick search in our free catalog.

Browse free plugins β†’
Premium option

Premium plugins ship with support, regular updates, and production-ready features β€” save days of integration work.

Browse premium plugins β†’

Related tutorials

In-depth guides on the same topic.

All tutorials β†’

Browse Plugin Categories

Jump directly to plugin category pages on the marketplace.