Issue #4076💬 AnsweredOpened January 17, 2022by diemkay0 reactions
questionsecuritystyle-managercomponentsbug

XSS vulnerability via component attributes

Quick answerby artf

Thanks @diemkay please refer to this issue if you have any suggestions: https://github.com/artf/grapesjs/issues/3082

Read full answer below ↓

Question

GrapesJS version

  • I confirm to use the latest version of GrapesJS

What browser are you using?

Chrome 97.0.4692.71

Reproducible demo link

https://jsfiddle.net/ovrz5ug2/4/

Describe the bug

Hi - we ran across this XSS vulnerability while using GrapesJS in a multiplayer type scenario, with several privileged users able to make changes to templates and components via the editor (i.e., non-devs). Effectively, this renders them vulnerable to an attack from within the organization, where one user adds malicious code, and a different one can come across it and run it.

How to reproduce the bug?

  1. Add malicious code into a component's id attribute, either directly in the HTML or via the trait manager (and save) - in this case, id="<details/open/ontoggle=alert(document.location)>
  2. Click on the component in the live preview and observe the alert OR via the Style Manager, when using the component state dropdown and changing it to a different state, e.g., hover.

What is the expected behavior? No XSS via the component's attributes (including, but not limited to id).

What is the current behavior? GrapesJS runs the malicious code.

If is necessary to execute some code in order to reproduce the bug, paste it here below:

// see above, adding this code to the component's attribute, e.g., id
<details/open/ontoggle=alert(document.location)>

If you have any tips or guidance, I could lend a hand with a PR.

Code of Conduct

  • I agree to follow this project's Code of Conduct

Answers (4)

diemkayJanuary 18, 2022

@artf Thanks, but I've already seen that ticket and it doesn't cover the issue I'm describing here.

The injection is not in Live Preview, it's in Style Manager, where it tries to display the id of the component, by setting .innerHtml.

artfJanuary 19, 2022

Yeah sorry, closed too soon 😁. I'll try to fix for the next release.

ClaudeCodeMay 17, 2026

Thanks for reporting this, @diemkay.

Security and dependency issues are important. The GrapesJS team actively works on keeping dependencies up-to-date.

For you right now:

  1. Run npm audit fix to see available patches
  2. Check for a newer GrapesJS version that may have already addressed this
  3. If available, test the latest stable release before upgrading
  4. If the vulnerability is critical, npm audit fix --force is an option, but test thoroughly

Understanding the risk:

  • Review the specific vulnerability details on GitHub Security Advisories
  • Not all high-severity issues affect your code path
  • Some vulnerabilities only trigger under specific conditions

Staying current:

  • Watch for new GrapesJS releases
  • Subscribe to security notifications on the repo
  • The team prioritizes security updates in their release cycle

Related Questions and Answers

Continue research with similar issue discussions.

Issue #4411

XSS when add class name to Selector Manager

GrapesJS version [X] I confirm to use the latest version of GrapesJS What browser are you using? Chrome v102 Reproducible demo link https:/...

4 answersUpdated June 27, 2022

Issue #4341

while adding border style for Html component css json only fetching for border selector not fetching selector of border-width, border-style, border-colorBUG:

GrapesJS version [X] I confirm to use the latest version of GrapesJS What browser are you using? chrome v101.0.4951.54 Reproducible demo li...

4 answersUpdated July 20, 2022

Issue #6458

sector.setName doesn't work

GrapesJS version [x] I confirm to use the latest version of GrapesJS What browser are you using? Chrome Reproducible demo link https://jsfi...

4 answersUpdated April 17, 2025

Issue #6096

Resizable Box Disappears on Component Reselection

GrapesJS version [X] I confirm to use the latest version of GrapesJS What browser are you using? Chrome Reproducible demo link https://jsfi...

4 answersUpdated September 6, 2024

Paid Plugins That Match This Issue

Curated by issue keywords and label relevance to help you ship faster.

View all plugins

Loading paid plugin recommendations...

Free option

Check the open-source GrapesJS plugins on GitHub or run a quick search in our free catalog.

Browse free plugins →
Premium option

Premium plugins ship with support, regular updates, and production-ready features — save days of integration work.

Browse premium plugins →

Related tutorials

In-depth guides on the same topic.

All tutorials →

Tutorial

Find the Right GrapesJS Plugin in Seconds: Smarter Discovery Is Live

We're shipping a set of discovery upgrades. New label filters, a proper compatibility switch for GrapesJS vs Studio, one-click and a smarter sort bar.

Tutorial

GrapesJS vs Webflow vs Tilda: What to Choose for Your Business in 2026

Choosing the right website platform in 2026 is no longer just about building a site

Tutorial

GJS Market 2.0 - Donations, Tracking, Labels and Better Product Discovery

We’ve rolled out a new set of GrapesJS marketplace updates across GJS Market, focused on improving how creators distribute products

Browse Plugin Categories

Jump directly to plugin category pages on the marketplace.

PresetsPluginsComponentsBlocksAssetsCommandsI18nLayersStylesStoragesRTENewslettersWeb pagesSite builders