Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

BUG: XSS when add class name to Selector Manager #4411

Closed
2 tasks done
zgeist opened this issue Jun 27, 2022 · 3 comments
Closed
2 tasks done

BUG: XSS when add class name to Selector Manager #4411

zgeist opened this issue Jun 27, 2022 · 3 comments

Comments

@zgeist
Copy link

zgeist commented Jun 27, 2022

GrapesJS version

  • I confirm to use the latest version of GrapesJS

What browser are you using?

Chrome v102

Reproducible demo link

https://jsfiddle.net/szLp8h4n

Describe the bug

How to reproduce the bug?

  1. Select any component
  2. Add class name to Selector Manager like <a href="#"onclick='alert(123)'>check</a>
  3. After click on class name, you got alert

What is the expected behavior?
Class name should be escaped

What is the current behavior?
javascript run in class name

Need add escape function to template https://github.com/artf/grapesjs/blob/dev/src/selector_manager/view/ClassTagView.ts#L13

Code of Conduct

  • I agree to follow this project's Code of Conduct
@Rawne
Copy link

Rawne commented Jun 27, 2022

Also running into this XSS bug. For example adding "><img src=x onerror=alert('XSS')> to the classes of a component will cause it to pop up as well.

@artf
Copy link
Member

artf commented Jun 27, 2022

Thanks for the report, will be fixed in the next release.

@zgeist
Copy link
Author

zgeist commented Jun 27, 2022

Thanks a lot!

@artf artf closed this as completed in 13e85d1 Jun 27, 2022
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Rawne @zgeist @artf