Issue #4076Opened January 17, 2022by diemkay0 reactions

BUG: XSS vulnerability via component attributes

Question

GrapesJS version

  • I confirm to use the latest version of GrapesJS

What browser are you using?

Chrome 97.0.4692.71

Reproducible demo link

https://jsfiddle.net/ovrz5ug2/4/

Describe the bug

Hi - we ran across this XSS vulnerability while using GrapesJS in a multiplayer type scenario, with several privileged users able to make changes to templates and components via the editor (i.e., non-devs). Effectively, this renders them vulnerable to an attack from within the organization, where one user adds malicious code, and a different one can come across it and run it.

How to reproduce the bug?

  1. Add malicious code into a component's id attribute, either directly in the HTML or via the trait manager (and save) - in this case, id="<details/open/ontoggle=alert(document.location)>
  2. Click on the component in the live preview and observe the alert OR via the Style Manager, when using the component state dropdown and changing it to a different state, e.g., hover.

What is the expected behavior? No XSS via the component's attributes (including, but not limited to id).

What is the current behavior? GrapesJS runs the malicious code.

If is necessary to execute some code in order to reproduce the bug, paste it here below:

// see above, adding this code to the component's attribute, e.g., id
<details/open/ontoggle=alert(document.location)>

If you have any tips or guidance, I could lend a hand with a PR.

Code of Conduct

  • I agree to follow this project's Code of Conduct

Answers (3)

diemkayJanuary 18, 20220 reactions

@artf Thanks, but I've already seen that ticket and it doesn't cover the issue I'm describing here.

The injection is not in Live Preview, it's in Style Manager, where it tries to display the id of the component, by setting .innerHtml.

artfJanuary 19, 20220 reactions

Yeah sorry, closed too soon 😁. I'll try to fix for the next release.

Related Questions and Answers

Continue research with similar issue discussions.

Issue #4323

BUG: Performance issue while dragging component to canvas when you have 2k component on canvas

GrapesJS version[X] I confirm to use the latest version of GrapesJSWhat browser are you using? Google Chrome Version 101.0.4951.41 (Officia...

3 answersUpdated June 19, 2025

Issue #5334

BUG: Selection of custom component type not working in the canvas

GrapesJS version [X] I confirm to use the latest version of GrapesJS What browser are you using? Chrome, Opera, Edge, etc Reproducible demo...

3 answersUpdated September 3, 2023

Issue #4341

while adding border style for Html component css json only fetching for border selector not fetching selector of border-width, border-style, border-colorBUG:

GrapesJS version [X] I confirm to use the latest version of GrapesJS What browser are you using? chrome v101.0.4951.54 Reproducible demo li...

3 answersUpdated July 20, 2022

Issue #4411

BUG: XSS when add class name to Selector Manager

GrapesJS version [X] I confirm to use the latest version of GrapesJS What browser are you using? Chrome v102 Reproducible demo link https:/...

3 answersUpdated June 27, 2022

Paid Plugins That Match This Issue

Curated by issue keywords and label relevance to help you ship faster.

View all plugins

Loading paid plugin recommendations...

Browse Plugin Categories

Jump directly to plugin category pages on the marketplace.

PresetsPluginsComponentsBlocksAssetsCommandsI18nLayersStylesStoragesRTENewslettersWeb pagesSite builders