XSS vulnerability in iframe attribute src
I think the pre-parser option is a really good idea. It sticks to the 'plug-in' per feature concept. How about updating fromElement to accept a string element ID or boolean. If bool == true, works as it does now, parsing the container HTML. If a string ID, it uses the contents of the element and the container becomes...
Read full answer below ↓Question
GrapesJS version [X] I confirm to use the latest version of GrapesJS What browser are you using? Edge v122 Reproducible demo link https://jsfiddle.net/bwreyq29/1/ Describe the bug How to reproduce the bug? open this link https://jsfiddle.net/bwreyq29/1/ and javascript code attached to src attribute will be executed automatically. What is the expected behaviour? This code shouldn't run What is the current behaviour? XSS vulnerability existsCode of Conduct [X] I agree to follow this project's Code of Conduct
Answers (4)
I think the pre-parser option is a really good idea. It sticks to the 'plug-in' per feature concept. How about updating fromElement to accept a string element ID or boolean. If bool == true, works as it does now, parsing the container HTML. If a string ID, it uses the contents of the element and th...
Totally agree with @bernesto indeed no matter how hard we try to make it safe, it will never be enough and I don't want to give the impression that the library is "so safe" to justify a missing server-side validation. The current options (eg. allowUnsafeAttr, allowUnsafeAttrValue) avoid only the ba...
This is unavoidable when using fromElement to load from an active DOM element. The element of the page loads and executes synchronously. GrapesJS would never have a chance to process and disarm the XSS html. This would need to be addressed by preventing the malicious code from ever loading. This sh...
This is indeed a valid XSS (Cross-Site Scripting) vulnerability. The issue arises because browsers automatically execute javascript: URLs when they are set as the src attribute of an iframe element. GrapesJS, by default, does not aggressively sanitize all attributes of incoming HTML content, especi...
Related Questions and Answers
Continue research with similar issue discussions.
Issue #5334
Selection of custom component type not working in the canvas
GrapesJS version [X] I confirm to use the latest version of GrapesJS What browser are you using? Chrome, Opera, Edge, etc Reproducible demo...
Issue #6707
Cannot read properties of null (reading 'hasFocus') in Canvas module
GrapesJS version [x] I confirm to use the latest version of GrapesJS What browser are you using? Chrome (versions 142-144), Safari (version...
Issue #6668
Accessible name is not defined for iframe in windows.
GrapesJS version [x] I confirm to use the latest version of GrapesJS What browser are you using? Edge (Version 143.0.3650.46), Chrome (Vers...
Issue #4099
"Using draggableComponents: false" still drag (clone?) some elements if i try to edit text
GrapesJS version[X] I confirm to use the latest version of GrapesJSWhat browser are you using? Chrome v96Reproducible demo link https://jsf...
Paid Plugins That Match This Issue
Curated by issue keywords and label relevance to help you ship faster.
Loading paid plugin recommendations...
Check the open-source GrapesJS plugins on GitHub or run a quick search in our free catalog.
Browse free plugins →Premium plugins ship with support, regular updates, and production-ready features — save days of integration work.
Browse premium plugins →Related tutorials
In-depth guides on the same topic.
Tutorial
How to Build a Production GrapesJS Editor: The Complete Walkthrough of Brief, Preset, Plugins, and Services
A complete walkthrough of building a production GrapesJS editor: how to choose a preset, pick plugins, and scope setup services without burning a sprint.
Tutorial
Big Updates: TinyMCE 8 and Placeholder 2.0 for GrapesJS
In May we shipped major updates to two of our most popular GrapesJS plugins — TinyMCE Inline Text Editor and Placeholder.
Tutorial
Find the Right GrapesJS Plugin in Seconds: Smarter Discovery Is Live
We're shipping a set of discovery upgrades. New label filters, a proper compatibility switch for GrapesJS vs Studio, one-click and a smarter sort bar.
Browse Plugin Categories
Jump directly to plugin category pages on the marketplace.