GrapesJS Issues

3,464 parsed GitHub issues โ€” 370 solved ยท 90 open. Search, filter and explore battle-tested answers.

12 issues found

๐Ÿ” security
#6723Mar 5, 2026by tiburciomzt2 answers
2 reactions

Dependency: grapesjs >=0.21.13 Depends on vulnerable versions of underscore

GrapesJS version [x] I confirm to use the latest version of GrapesJS What browser are you using? Edge, mozilla Reproducible demo link NA Describe the bug underscore <=1.13.7 Severity: high underscore <=1.13.7 Severity: high Underscore has unlimited recursion in .flatten and .isEqual, potential for DoS attack - https:/...

artf

Thanks for the report @tiburciomzt The bump was merged and will soon be released.

GJS Helper

The issue you've reported regarding the underscore vulnerability (GHSA-qpx9-hpmf-5gmw) in grapesjs is valid and concerns a high-severity DoS vulnerability in underscore versions prior to 1.13.8. This vulnerability affects .flatten and .isE...

#6690Jan 16, 2026by HavokInspiration1 answer
0 reactions

CSP violations

GrapesJS version [x] I confirm to use the latest version of GrapesJS What browser are you using? Chrome 143.0.7499.193 Reproducible demo link https://grapesjs.com/demo.html Describe the bug Hello. How to reproduce the bug? Import GrapeJS in a JS file / Node env : on a webpage using strict CSP rules, for instance : Doi...

GJS Helper

GrapesJS, by its nature as a dynamic web builder, relies on injecting styles and manipulating the DOM, which can indeed lead to Content Security Policy (CSP) violations, especially with very strict rules like yours. Let's break down the is...

#6687Jan 13, 2026by rhaarhoff1 answer
0 reactions

Dependency: backbone-undo is deprecated (npm) โ€” any plan to replace/remove?

GrapesJS version 0.22.14 (latest release as of 2025-11-20) What's the expected behavior? No deprecated dependencies in the GrapesJS install tree (or guidance/roadmap on replacing them). What's the current behavior? Installing [email protected] emits an npm/pnpm deprecation warning because it depends on backbone-undo@0....

GJS Helper

The deprecation warning for [email protected] when installing GrapesJS is a valid concern regarding dependency maintenance. Let's break down the situation and what it means for GrapesJS users. Root Cause: Deprecated Dependency GrapesJS c...

#6049Aug 7, 2024by danstarns1 answer
0 reactions

Dependencies

The codebase currently relies on outdated dependencies. This ticket aims to: Update all existing dependencies to their latest stable versions. Set up Dependabot to automatically check for and update dependencies in the future. Keeping dependencies up to date will improve security, performance, and compatibility with o...

GJS Helper

Keeping project dependencies up-to-date is crucial for security, performance, and compatibility. For a GrapesJS project, which typically uses Node.js and npm/yarn, this involves a two-pronged approach: initial manual updates and then autom...

#5743Mar 11, 2024by davidgabrichidze4 answers
5 reactions

XSS vulnerability in iframe attribute src

GrapesJS version [X] I confirm to use the latest version of GrapesJS What browser are you using? Edge v122 Reproducible demo link https://jsfiddle.net/bwreyq29/1/ Describe the bug How to reproduce the bug? open this link https://jsfiddle.net/bwreyq29/1/ and javascript code attached to src attribute will be executed au...

bernesto

I think the pre-parser option is a really good idea. It sticks to the 'plug-in' per feature concept. How about updating fromElement to accept a string element ID or boolean. If bool == true, works as it does now, parsing the container HTML...

artf

Totally agree with @bernesto indeed no matter how hard we try to make it safe, it will never be enough and I don't want to give the impression that the library is "so safe" to justify a missing server-side validation. The current options (...

bernesto

This is unavoidable when using fromElement to load from an active DOM element. The element of the page loads and executes synchronously. GrapesJS would never have a chance to process and disarm the XSS html. This would need to be addressed...

#4411Jun 27, 2022by zgeist4 answers
2 reactions

XSS when add class name to Selector Manager

GrapesJS version [X] I confirm to use the latest version of GrapesJS What browser are you using? Chrome v102 Reproducible demo link https://jsfiddle.net/szLp8h4n Describe the bug How to reproduce the bug?Select any componentAdd class name to Selector Manager like <a href="#"onclick='alert(123)'>check</a>After click on...

artf

Thanks for the report, will be fixed in the next release.

Rawne

Also running into this XSS bug. For example adding "><img src=x onerror=alert('XSS')> to the classes of a component will cause it to pop up as well.

zgeist

Thanks a lot!

#4076Jan 17, 2022by diemkay4 answers
0 reactions

XSS vulnerability via component attributes

GrapesJS version [X] I confirm to use the latest version of GrapesJS What browser are you using? Chrome 97.0.4692.71 Reproducible demo link https://jsfiddle.net/ovrz5ug2/4/ Describe the bug Hi - we ran across this XSS vulnerability while using GrapesJS in a multiplayer type scenario, with several privileged users able...

artf

Thanks @diemkay please refer to this issue if you have any suggestions: https://github.com/artf/grapesjs/issues/3082

diemkay

@artf Thanks, but I've already seen that ticket and it doesn't cover the issue I'm describing here. The injection is not in Live Preview, it's in Style Manager, where it tries to display the id of the component, by setting .innerHtml.

artf

Yeah sorry, closed too soon ๐Ÿ˜. I'll try to fix for the next release.

#3596Jul 6, 2021by aimeos4 answers
0 reactions

Values are not escaped

GrapesJS code is open to XSS issues because values are inserted into DOM without escaping, e.g. https://github.com/artf/grapesjs/blob/dev/src/assetmanager/view/AssetImageView.js#L30 If model.getFilename() returns <img src=x onerror=alert(document.cookie)>.jpg, this can result in an account takeover. Instead the code s...

aimeos

@artf What are your plans because the vulnerability of GrapesJS to XSS is a pretty big security problem

artf

Yeah thanks for the report @aimeos I'll fix it in the next version for sure

aimeos

@artf The documentation also uses ${var} to insert variables into templates often. This should also be changed to avoid that developers introduce security issues too without knowing that.

#3558Jun 22, 2021by aimeos4 answers
2 reactions

Support Content-Security-Policy

To reduce the possible attack surface if the editor is used in "hostile" environments (e.g. in SaaS platforms) support for CSP is required. This will also prevent problems like https://github.com/artf/grapesjs/issues/3082 At the moment, the only problem that prevents effective CSP rules is the use of new Function() in...

artf

ok then, I'll try to fix it for the next release.

artf

mmm I'm not sure exactly how I'm able to fix it and what do you mean by is the use of new Function() in the GrapesJS code as there is no such a thing in the source?

aimeos

Found out that it's in the dist files due to underscore.js template() method which uses new Function(). I think this will make it hard to replace or remove that dependency to enforce a CSP without 'unsafe-eval'.

#3481May 25, 2021by zgeist4 answers
4 reactions

Update underscore lib to 1.13.*

Current version have security issue Might be update to newest version

igorstasiuk

yeah +1, need to be updated to latest underscore version

artf

Hi guys, I'm closing this as a duplicate of #3443

kirill-malyhin

Also need that fix after pen test!

Browse all topics