Issue #4076πŸ’¬ AnsweredOpened Jan 17, 2022by diemkay0 reactions

XSS vulnerability via component attributes

Quick answerby artf

Thanks @diemkay please refer to this issue if you have any suggestions: https://github.com/artf/grapesjs/issues/3082

Read full answer below ↓

Question

GrapesJS version [X] I confirm to use the latest version of GrapesJS What browser are you using? Chrome 97.0.4692.71 Reproducible demo link https://jsfiddle.net/ovrz5ug2/4/ Describe the bug Hi - we ran across this XSS vulnerability while using GrapesJS in a multiplayer type scenario, with several privileged users able to make changes to templates and components via the editor (i.e., non-devs). Effectively, this renders them vulnerable to an attack from within the organization, where one user adds malicious code, and a different one can come across it and run it. How to reproduce the bug?Add m...

Answers (4)

diemkayβ€’ Jan 18, 2022

@artf Thanks, but I've already seen that ticket and it doesn't cover the issue I'm describing here.

The injection is not in Live Preview, it's in Style Manager, where it tries to display the id of the component, by setting .innerHtml.

artfβ€’ Jan 19, 2022

Yeah sorry, closed too soon 😁. I'll try to fix for the next release.

GJSBlockβ€’ May 17, 2026

Thanks for reporting this, @diemkay. Security and dependency issues are important. The GrapesJS team actively works on keeping dependencies up-to-date. For you right now: Run npm audit fix to see available patches Check for a newer GrapesJS version that may have already addressed this If available,...

Related Questions and Answers

Continue research with similar issue discussions.

Paid Plugins That Match This Issue

Curated by issue keywords and label relevance to help you ship faster.

View all plugins

Loading paid plugin recommendations...

Free option

Check the open-source GrapesJS plugins on GitHub or run a quick search in our free catalog.

Browse free plugins β†’
Premium option

Premium plugins ship with support, regular updates, and production-ready features β€” save days of integration work.

Browse premium plugins β†’

Related tutorials

In-depth guides on the same topic.

All tutorials β†’

Browse Plugin Categories

Jump directly to plugin category pages on the marketplace.