GrapesJS version [x] I confirm to use the latest version of GrapesJS What browser are you using? Edge, mozilla Reproducible demo link NA Describe the bug underscore <=1.13.7 Severity: high underscore <=1.13.7 Severity: high Underscore has unlimited recursion in .flatten and .isEqual, potential for DoS attack - https:/...
artf
Thanks for the report @tiburciomzt The bump was merged and will soon be released.
GJS Helper
The issue you've reported regarding the underscore vulnerability (GHSA-qpx9-hpmf-5gmw) in grapesjs is valid and concerns a high-severity DoS vulnerability in underscore versions prior to 1.13.8. This vulnerability affects .flatten and .isE...
GrapesJS version [x] I confirm to use the latest version of GrapesJS What browser are you using? Chrome 143.0.7499.193 Reproducible demo link https://grapesjs.com/demo.html Describe the bug Hello. How to reproduce the bug? Import GrapeJS in a JS file / Node env : on a webpage using strict CSP rules, for instance : Doi...
GJS Helper
GrapesJS, by its nature as a dynamic web builder, relies on injecting styles and manipulating the DOM, which can indeed lead to Content Security Policy (CSP) violations, especially with very strict rules like yours. Let's break down the is...
GrapesJS version 0.22.14 (latest release as of 2025-11-20) What's the expected behavior? No deprecated dependencies in the GrapesJS install tree (or guidance/roadmap on replacing them). What's the current behavior? Installing [email protected] emits an npm/pnpm deprecation warning because it depends on backbone-undo@0....
GJS Helper
The deprecation warning for [email protected] when installing GrapesJS is a valid concern regarding dependency maintenance. Let's break down the situation and what it means for GrapesJS users. Root Cause: Deprecated Dependency GrapesJS c...
The codebase currently relies on outdated dependencies. This ticket aims to: Update all existing dependencies to their latest stable versions. Set up Dependabot to automatically check for and update dependencies in the future. Keeping dependencies up to date will improve security, performance, and compatibility with o...
GJS Helper
Keeping project dependencies up-to-date is crucial for security, performance, and compatibility. For a GrapesJS project, which typically uses Node.js and npm/yarn, this involves a two-pronged approach: initial manual updates and then autom...
GrapesJS version [X] I confirm to use the latest version of GrapesJS What browser are you using? Edge v122 Reproducible demo link https://jsfiddle.net/bwreyq29/1/ Describe the bug How to reproduce the bug? open this link https://jsfiddle.net/bwreyq29/1/ and javascript code attached to src attribute will be executed au...
bernesto
I think the pre-parser option is a really good idea. It sticks to the 'plug-in' per feature concept. How about updating fromElement to accept a string element ID or boolean. If bool == true, works as it does now, parsing the container HTML...
artf
Totally agree with @bernesto indeed no matter how hard we try to make it safe, it will never be enough and I don't want to give the impression that the library is "so safe" to justify a missing server-side validation. The current options (...
bernesto
This is unavoidable when using fromElement to load from an active DOM element. The element of the page loads and executes synchronously. GrapesJS would never have a chance to process and disarm the XSS html. This would need to be addressed...
GrapesJS version [X] I confirm to use the latest version of GrapesJS What browser are you using? Chrome v102 Reproducible demo link https://jsfiddle.net/szLp8h4n Describe the bug How to reproduce the bug?Select any componentAdd class name to Selector Manager like <a href="#"onclick='alert(123)'>check</a>After click on...
artf
Thanks for the report, will be fixed in the next release.
Rawne
Also running into this XSS bug. For example adding "><img src=x onerror=alert('XSS')> to the classes of a component will cause it to pop up as well.
GrapesJS version [X] I confirm to use the latest version of GrapesJS What browser are you using? Chrome 97.0.4692.71 Reproducible demo link https://jsfiddle.net/ovrz5ug2/4/ Describe the bug Hi - we ran across this XSS vulnerability while using GrapesJS in a multiplayer type scenario, with several privileged users able...
artf
Thanks @diemkay please refer to this issue if you have any suggestions: https://github.com/artf/grapesjs/issues/3082
diemkay
@artf Thanks, but I've already seen that ticket and it doesn't cover the issue I'm describing here. The injection is not in Live Preview, it's in Style Manager, where it tries to display the id of the component, by setting .innerHtml.
artf
Yeah sorry, closed too soon ๐. I'll try to fix for the next release.
GrapesJS code is open to XSS issues because values are inserted into DOM without escaping, e.g. https://github.com/artf/grapesjs/blob/dev/src/assetmanager/view/AssetImageView.js#L30 If model.getFilename() returns <img src=x onerror=alert(document.cookie)>.jpg, this can result in an account takeover. Instead the code s...
aimeos
@artf What are your plans because the vulnerability of GrapesJS to XSS is a pretty big security problem
artf
Yeah thanks for the report @aimeos I'll fix it in the next version for sure
aimeos
@artf The documentation also uses ${var} to insert variables into templates often. This should also be changed to avoid that developers introduce security issues too without knowing that.
To reduce the possible attack surface if the editor is used in "hostile" environments (e.g. in SaaS platforms) support for CSP is required. This will also prevent problems like https://github.com/artf/grapesjs/issues/3082 At the moment, the only problem that prevents effective CSP rules is the use of new Function() in...
artf
ok then, I'll try to fix it for the next release.
artf
mmm I'm not sure exactly how I'm able to fix it and what do you mean by is the use of new Function() in the GrapesJS code as there is no such a thing in the source?
aimeos
Found out that it's in the dist files due to underscore.js template() method which uses new Function(). I think this will make it hard to replace or remove that dependency to enforce a CSP without 'unsafe-eval'.