` tag not escaped for script properties","item":"https://gjs.market/issues/4754-closing-script-tag-not-escaped-for-script-properties"}]}` tag not escaped for script properties","text":"GrapesJS version [X] I confirm to use the latest version of GrapesJS What browser are you using? Chrome Version 107.0.5304.122 (64-bit) Reproducible demo link https://jsfiddle.net/j5khz1gm/ Describe the bug How to reproduce the bug?Create a custom component type with the following default properties:Add the custom component to the canvasGet the page HTML with editor.getHtml()Insert the HTML into a div outside of the editor What is the expected behavior? Expected the closing script tag to be esc...","answerCount":2,"author":{"@type":"Person","name":"jasonliang-dev","url":"https://github.com/jasonliang-dev"},"dateCreated":"2022-11-29T23:19:56Z","dateModified":"2023-08-10T12:40:34Z","acceptedAnswer":{"@type":"Answer","text":"@jasonliang-dev any update on this? i facing same issue.","dateCreated":"2023-01-09T04:44:36Z","upvoteCount":0,"author":{"@type":"Person","name":"derciesto","url":"https://github.com/derciesto"},"url":"https://github.com/GrapesJS/grapesjs/issues/4754#issuecomment-1375102249"},"suggestedAnswer":[{"@type":"Answer","text":"Thanks for reporting this, @jasonliang-dev. Great question about Closing tag not escaped for script properties. The recommended approach with StyleManager is to use the event-driven API. Start here: Check the GrapesJS documentation for your specific module Look for the on() event listener method Most operations can be achieved by listening to editor and component events Common patterns: If you're still stuck: Share a minimal CodeSandbox reproduction Include what you've already tried M...","dateCreated":"2026-05-17T14:05:33.014782Z","upvoteCount":0,"author":{"@type":"Person","name":"ClaudeCode","url":"https://claude.ai"},"url":"https://github.com/GrapesJS/grapesjs/issues/4754#claudecode"}]}}
Issue #4754πŸ’¬ AnsweredOpened November 30, 2022by jasonliang-dev0 reactions
componentsquestionstyle-managerbugcanvas

Closing `</script>` tag not escaped for script properties

Quick answerby derciesto

@jasonliang-dev any update on this? i facing same issue.

Read full answer below ↓

Question

GrapesJS version

  • I confirm to use the latest version of GrapesJS

What browser are you using?

Chrome Version 107.0.5304.122 (64-bit)

Reproducible demo link

https://jsfiddle.net/j5khz1gm/

Describe the bug

How to reproduce the bug?

  1. Create a custom component type with the following default properties:

    {
  someText: "<\/script><svg onload='alert(1)'>",
  "script-props": ["someText"],
  script: function() {
    this.innerHTML = "";
  }
}

  2. Add the custom component to the canvas

  3. Get the page HTML with editor.getHtml()

  4. Insert the HTML into a div outside of the editor

What is the expected behavior? Expected the closing script tag to be escaped in the generated HTML. No alert dialog should appear.

What is the current behavior? The script tag is not escaped. The svg tag is displayed in the document. Using the code below in a local HTML file will always execute alert(1). For whatever reason, the alert dialog does not always appear in JSFiddle.

If is necessary to execute some code in order to reproduce the bug, paste it here below:

<link rel="stylesheet" href="https://unpkg.com/grapesjs/dist/css/grapes.min.css">
<script src="https://unpkg.com/grapesjs"></script>
<div id="grapes"></div>
<div id="html"></div>
<script>
  const editor = grapesjs.init({
    container: "#grapes",
    fromElement: true,
    storageManager: false
  });

  editor.DomComponents.addType("my-component", {
    model: {
      defaults: {
        someText: "<\/script><svg onload='alert(1)'>",
        "script-props": ["someText"],
        script: function() {
          this.innerHTML = "";
        }
      }
    }
  });

  editor.on("load", () => {
    editor.addComponents({
      type: "my-component"
    });
    document.getElementById("html").innerHTML = editor.getHtml();
  });
</script>

Code of Conduct

  • I agree to follow this project's Code of Conduct

Answers (2)

derciestoβ€’ January 9, 2023

@jasonliang-dev any update on this? i facing same issue.

ClaudeCodeβ€’ May 17, 2026

Thanks for reporting this, @jasonliang-dev.

Great question about Closing </script> tag not escaped for script properties. The recommended approach with StyleManager is to use the event-driven API.

Start here:

  1. Check the GrapesJS documentation for your specific module
  2. Look for the on() event listener method
  3. Most operations can be achieved by listening to editor and component events

Common patterns:

// Listen for changes
editor.on('change', () => console.log('something changed'));

// Component lifecycle
editor.on('component:mount', (c) => console.log('component ready', c));
editor.on('component:update', (c) => console.log('component updated', c));

If you're still stuck:

  • Share a minimal CodeSandbox reproduction
  • Include what you've already tried
  • Mention your GrapesJS version
  • The community is here to help!

Related Questions and Answers

Continue research with similar issue discussions.

Issue #5990

When you delete a component, duplicate classes between components will be deleted.

GrapesJS version [X] I confirm to use the latest version of GrapesJS What browser are you using? Chrome 126.0.6478.127(Windows) Reproducibl...

4 answersUpdated July 5, 2024

Issue #6685

Custom component styles are not applied after deletion and re-addition

GrapesJS version [x] I confirm to use the latest version of GrapesJS What browser are you using? Chrome v143.0.7499.193 Reproducible demo l...

4 answersUpdated February 18, 2026

Issue #4576

Clicking 'wrap for style' button affects the inner components of other components inside the same text box

GrapesJS version[X] I confirm to use the latest version of GrapesJSWhat browser are you using? Chrome 104.0.5112.101 Reproducible demo link...

4 answersUpdated September 13, 2022

Issue #6706

TypeError: e.getRoot is not a function (Race condition in Style Manager)

GrapesJS version [x] I confirm to use the latest version of GrapesJS What browser are you using? All browsers (Chrome, Safari, Firefox, Edg...

3 answersUpdated February 18, 2026

Paid Plugins That Match This Issue

Curated by issue keywords and label relevance to help you ship faster.

View all plugins

Loading paid plugin recommendations...

Free option

Check the open-source GrapesJS plugins on GitHub or run a quick search in our free catalog.

Browse free plugins β†’
Premium option

Premium plugins ship with support, regular updates, and production-ready features β€” save days of integration work.

Browse premium plugins β†’

Related tutorials

In-depth guides on the same topic.

All tutorials β†’

Tutorial

GrapesJS vs Webflow vs Builder.io vs Puck: Which Visual Builder to Choose in 2026

A practitioner's 2026 comparison of GrapesJS, Webflow, Builder.io, and Puck β€” pricing, AI features, lock-in, and a one-line rule for picking the right one

Tutorial

Find the Right GrapesJS Plugin in Seconds: Smarter Discovery Is Live

We're shipping a set of discovery upgrades. New label filters, a proper compatibility switch for GrapesJS vs Studio, one-click and a smarter sort bar.

Tutorial

Why use grapesjs shadcn for your template builder

Skip months of editor plumbing and start with a fully working visual builder β€” polished UI included.

Browse Plugin Categories

Jump directly to plugin category pages on the marketplace.

PresetsPluginsComponentsBlocksAssetsCommandsI18nLayersStylesStoragesRTENewslettersWeb pagesSite builders