Issue #4411Opened June 27, 2022by zgeist2 reactions

BUG: XSS when add class name to Selector Manager

Question

GrapesJS version

  • I confirm to use the latest version of GrapesJS

What browser are you using?

Chrome v102

Reproducible demo link

https://jsfiddle.net/szLp8h4n

Describe the bug

How to reproduce the bug?

  1. Select any component
  2. Add class name to Selector Manager like <a href="#"onclick='alert(123)'>check</a>
  3. After click on class name, you got alert

What is the expected behavior? Class name should be escaped

What is the current behavior? javascript run in class name

Need add escape function to template https://github.com/artf/grapesjs/blob/dev/src/selector_manager/view/ClassTagView.ts#L13

Code of Conduct

  • I agree to follow this project's Code of Conduct

Answers (3)

artfJune 27, 20222 reactions

Thanks for the report, will be fixed in the next release.

RawneJune 27, 20220 reactions

Also running into this XSS bug. For example adding "><img src=x onerror=alert('XSS')> to the classes of a component will cause it to pop up as well.

zgeistJune 27, 20220 reactions

Thanks a lot!

Related Questions and Answers

Continue research with similar issue discussions.

Issue #6458

BUG: sector.setName doesn't work

GrapesJS version [x] I confirm to use the latest version of GrapesJS What browser are you using? Chrome Reproducible demo link https://jsfi...

3 answersUpdated April 17, 2025

Issue #5305

BUG: "component:add" event triggers when components are moved

GrapesJS version 0.21.4[X] I confirm to use the latest version of GrapesJSWhat browser are you using? Chrome Version 113.0.5672.63 Reproduc...

1 answersUpdated August 15, 2023

Issue #5487

BUG: Style Manager doesn't display multiple rules for the same class

GrapesJS version [X] I confirm to use the latest version of GrapesJS What browser are you using? Firefox Reproducible demo link https://jsf...

2 answersUpdated November 27, 2023

Issue #4323

BUG: Performance issue while dragging component to canvas when you have 2k component on canvas

GrapesJS version[X] I confirm to use the latest version of GrapesJSWhat browser are you using? Google Chrome Version 101.0.4951.41 (Officia...

3 answersUpdated June 19, 2025

Paid Plugins That Match This Issue

Curated by issue keywords and label relevance to help you ship faster.

View all plugins

Loading paid plugin recommendations...

Browse Plugin Categories

Jump directly to plugin category pages on the marketplace.

PresetsPluginsComponentsBlocksAssetsCommandsI18nLayersStylesStoragesRTENewslettersWeb pagesSite builders