Search parsed GitHub issues, see highlighted answers, and open the original discussion when needed.
8 issues found
GrapesJS version [x] I confirm to use the latest version of GrapesJS What browser are you using? Chrome 143.0.7499.193 Reproducible demo link https://grapesjs.com/demo.html Describe the bug Hello. How to reproduce the bug? Import GrapeJS in a JS file / Node env : on a webpage using strict CSP rules, for instance : Doi...
The codebase currently relies on outdated dependencies. This ticket aims to: Update all existing dependencies to their latest stable versions. Set up Dependabot to automatically check for and update dependencies in the future. Keeping dependencies up to date will improve security, performance, and compatibility with o...
To reduce the possible attack surface if the editor is used in "hostile" environments (e.g. in SaaS platforms) support for CSP is required. This will also prevent problems like https://github.com/artf/grapesjs/issues/3082 At the moment, the only problem that prevents effective CSP rules is the use of new Function() in...
artf
ok then, I'll try to fix it for the next release.
artf
mmm I'm not sure exactly how I'm able to fix it and what do you mean by is the use of new Function() in the GrapesJS code as there is no such a thing in the source?
aimeos
Found out that it's in the dist files due to underscore.js template() method which uses new Function(). I think this will make it hard to replace or remove that dependency to enforce a CSP without 'unsafe-eval'.
Current version have security issue Might be update to newest version
igorstasiuk
yeah +1, need to be updated to latest underscore version
artf
Hi guys, I'm closing this as a duplicate of #3443
kirill-malyhin
Also need that fix after pen test!
Version: v0.17.3 Are you able to reproduce the bug from the demo?[x] Yes[ ] No What is the expected behavior? See below What is the current behavior? There is a known security vulnerability in one of the versions of underscore used by a nested dependency. The current version of grapejs utilises backbone-undo ^0.2.5 ht...
emyasnikov
I'm also wondering if backbone-undo is needed or can be replaced by something similar. The package hasn't been updated for 6 years
artf
The package hasn't been updated for 6 years Well, except updating its dependencies (like in this case, for security reason) it's a feature-complete library, there is no need to add/update anything else. Anyway, this PR seems to fix the sec...
chilled-capybara
Thanks for your replyAnyway, this PR seems to fix the security vulnerability at the .lock level but I'm not sure if are kept on a fresh install. I think that might fix the version in the main grapejs repo, but I'm not sure it restricts the...
This is a really dumb question, but I'm not finding the answer anywhere obvious: I'm a beginner with a free JS codecademy course under my belt and a lot of time spent making/maintaining sites on WordPress. I want to make a new website or three using open-source tools that'll be more user-friendly for myself and end us...
artf
I know OctoberCMS has this plugin and I've seen others but can't recall their names 😓
pouyamiralayi
@JpTiger there are tools out there based on grapesjs that can help you design your page very quickly: gramateria. the rest can be achieved using popular open source and easy to use cms's like pagekit and directus. i personally prefer strap...
Hi, We are trying to integrate GrapesJS in the Salesforce Lightning Platform. But it seems we are getting loads of errors. Does anyone have tried adding in the Lightning Platform? Issues are mostly related to Locker Service guidelines. https://developer.salesforce.com/docs/atlas.en-us.lightning.meta/lightning/security...
artf
For integration questions SO is more valuable
lock[bot]
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.
Hi, our SAST scanner detected the following, thought you might like to know. https://raw.githubusercontent.com/artf/grapesjs/dev/dist/grapes.js Code (Line #29702): this.setElement(this.createElement(.result(this, 'tagName'))); ClientDOMStored_XSS exists @ public/dist/grapes.js Severity: High CWE: 79 https://cwe.mitre....
artf
Thanks for the report @kewilson but that line is totally legit for the editor. The library itself shouldn't be "able to hurt", most of the vulnerabilities might be added during the integration
lock[bot]
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.