Issue #5743✓ SolvedOpened Mar 11, 2024by davidgabrichidze5 reactions

XSS vulnerability in iframe attribute src

Quick answerby bernesto2

I think the pre-parser option is a really good idea. It sticks to the 'plug-in' per feature concept. How about updating fromElement to accept a string element ID or boolean. If bool == true, works as it does now, parsing the container HTML. If a string ID, it uses the contents of the element and the container becomes...

Read full answer below ↓

Question

GrapesJS version [X] I confirm to use the latest version of GrapesJS What browser are you using? Edge v122 Reproducible demo link https://jsfiddle.net/bwreyq29/1/ Describe the bug How to reproduce the bug? open this link https://jsfiddle.net/bwreyq29/1/ and javascript code attached to src attribute will be executed automatically. What is the expected behaviour? This code shouldn't run What is the current behaviour? XSS vulnerability existsCode of Conduct [X] I agree to follow this project's Code of Conduct

Answers (4)

👍 Most helpfulbernestoMar 12, 2024

I think the pre-parser option is a really good idea. It sticks to the 'plug-in' per feature concept. How about updating fromElement to accept a string element ID or boolean. If bool == true, works as it does now, parsing the container HTML. If a string ID, it uses the contents of the element and th...

artfMar 14, 2024

Totally agree with @bernesto indeed no matter how hard we try to make it safe, it will never be enough and I don't want to give the impression that the library is "so safe" to justify a missing server-side validation. The current options (eg. allowUnsafeAttr, allowUnsafeAttrValue) avoid only the ba...

bernestoMar 12, 2024

This is unavoidable when using fromElement to load from an active DOM element. The element of the page loads and executes synchronously. GrapesJS would never have a chance to process and disarm the XSS html. This would need to be addressed by preventing the malicious code from ever loading. This sh...

GJS HelperMay 17, 2026

This is indeed a valid XSS (Cross-Site Scripting) vulnerability. The issue arises because browsers automatically execute javascript: URLs when they are set as the src attribute of an iframe element. GrapesJS, by default, does not aggressively sanitize all attributes of incoming HTML content, especi...

Related Questions and Answers

Continue research with similar issue discussions.

Paid Plugins That Match This Issue

Curated by issue keywords and label relevance to help you ship faster.

View all plugins

Loading paid plugin recommendations...

Free option

Check the open-source GrapesJS plugins on GitHub or run a quick search in our free catalog.

Browse free plugins →
Premium option

Premium plugins ship with support, regular updates, and production-ready features — save days of integration work.

Browse premium plugins →

Related tutorials

In-depth guides on the same topic.

All tutorials →

Browse Plugin Categories

Jump directly to plugin category pages on the marketplace.