Issue #6603πŸ’¬ AnsweredOpened Sep 4, 2025by nanto1 reactions

Ampersand is not escaped in attribute value

Quick answerby artf❀ 1

Thanks for providing all the info and details, that was helpful. Thanks also for the PR.

Read full answer below ↓

Question

GrapesJS version [x] I confirm to use the latest version of GrapesJS What browser are you using? Chrome v142.0.7392.0 (canary) Reproducible demo link https://jsfiddle.net/xce183nm/1/ Describe the bug How to reproduce the bug? Create an editor instance and load HTML code that contains character references in attribute value. Get HTML code. What is the expected behavior? Symbols in attribute value are escaped with character references. The title attribute value of the p element is parsed as < &amp; >. What is the current behavior? Symbols in attribute value are not escaped. The title attribute...

Answers (2)

artfβ€’ Sep 12, 2025

Thanks for providing all the info and details, that was helpful. Thanks also for the PR.

GJS Helperβ€’ May 17, 2026

You've identified a critical bug in GrapesJS's HTML serialization process regarding attribute value escaping. The issue stems from the Component model's renderAttributes method, which directly inserts attribute values into the HTML string without proper HTML entity escaping. This leads to unescaped...

Related Questions and Answers

Continue research with similar issue discussions.

Paid Plugins That Match This Issue

Curated by issue keywords and label relevance to help you ship faster.

View all plugins

Loading paid plugin recommendations...

Free option

Check the open-source GrapesJS plugins on GitHub or run a quick search in our free catalog.

Browse free plugins β†’
Premium option

Premium plugins ship with support, regular updates, and production-ready features β€” save days of integration work.

Browse premium plugins β†’

Related tutorials

In-depth guides on the same topic.

All tutorials β†’

Browse Plugin Categories

Jump directly to plugin category pages on the marketplace.