Moderate severityOSV Advisory· Published Jul 25, 2022· Updated Sep 16, 2024
Cross-site Scripting (XSS)
CVE-2022-21802
Description
The package grapesjs before 0.19.5 are vulnerable to Cross-site Scripting (XSS) due to an improper sanitization of the class name in Selector Manager.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
grapesjsnpm | >= 0 | — |
Affected products
1Patches
113e85d152d48Protect Selector Manager views from XSS. Closes #4411
2 files changed · +26 −32
src/selector_manager/view/ClassTagsView.ts+23 −28 modified@@ -11,36 +11,31 @@ import Selectors from '../model/Selectors'; export default class ClassTagsView extends View<Selector> { template({ labelInfo, labelHead, iconSync, iconAdd, pfx, ppfx }: any) { - return ` - <div id="${pfx}up" class="${pfx}header"> - <div id="${pfx}label" class="${pfx}header-label">${labelHead}</div> - <div id="${pfx}status-c" class="${pfx}header-status"> - <span id="${pfx}input-c" data-states-c> - <div class="${ppfx}field ${ppfx}select"> - <span id="${ppfx}input-holder"> - <select id="${pfx}states" data-states></select> - </span> - <div class="${ppfx}sel-arrow"> - <div class="${ppfx}d-s-arrow"></div> + return html` <div id="${pfx}up" class="${pfx}header"> + <div id="${pfx}label" class="${pfx}header-label">${labelHead}</div> + <div id="${pfx}status-c" class="${pfx}header-status"> + <span id="${pfx}input-c" data-states-c> + <div class="${ppfx}field ${ppfx}select"> + <span id="${ppfx}input-holder"> + <select id="${pfx}states" data-states></select> + </span> + <div class="${ppfx}sel-arrow"> + <div class="${ppfx}d-s-arrow"></div> + </div> </div> - </div> - </span> + </span> + </div> </div> - </div> - <div id="${pfx}tags-field" class="${ppfx}field"> - <div id="${pfx}tags-c" data-selectors></div> - <input id="${pfx}new" data-input/> - <span id="${pfx}add-tag" class="${pfx}tags-btn ${pfx}tags-btn__add" data-add> - ${iconAdd} - </span> - <span class="${pfx}tags-btn ${pfx}tags-btn__sync" style="display: none" data-sync-style> - ${iconSync} - </span> - </div> - <div class="${pfx}sels-info"> - <div class="${pfx}label-sel">${labelInfo}:</div> - <div class="${pfx}sels" data-selected></div> - </div>`; + <div id="${pfx}tags-field" class="${ppfx}field"> + <div id="${pfx}tags-c" data-selectors></div> + <input id="${pfx}new" data-input /> + <span id="${pfx}add-tag" class="${pfx}tags-btn ${pfx}tags-btn__add" data-add> $${iconAdd} </span> + <span class="${pfx}tags-btn ${pfx}tags-btn__sync" style="display: none" data-sync-style> $${iconSync} </span> + </div> + <div class="${pfx}sels-info"> + <div class="${pfx}label-sel">${labelInfo}:</div> + <div class="${pfx}sels" data-selected></div> + </div>`; } events() {
src/selector_manager/view/ClassTagView.ts+3 −4 modified@@ -1,5 +1,6 @@ import { View } from '../../common'; import State from '../model/State'; +import html from '../../utils/html'; const inputProp = 'contentEditable'; @@ -8,12 +9,10 @@ export default class ClassTagView extends View<State> { const { pfx, model, config } = this; const label = model.get('label') || ''; - return ` + return html` <span id="${pfx}checkbox" class="${pfx}tag-status" data-tag-status></span> <span id="${pfx}tag-label" data-tag-name>${label}</span> - <span id="${pfx}close" class="${pfx}tag-close" data-tag-remove> - ${config.iconTagRemove} - </span> + <span id="${pfx}close" class="${pfx}tag-close" data-tag-remove> $${config.iconTagRemove} </span> `; }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-589f-c66p-hxr4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-21802ghsaADVISORY
- github.com/artf/grapesjs/commit/13e85d152d486b968265c4b8017e8901e7d89ff3ghsax_refsource_MISCWEB
- github.com/artf/grapesjs/issues/4411%23issuecomment-1167202709ghsax_refsource_MISCWEB
- github.com/artf/grapesjs/releases/tag/v0.19.5ghsax_refsource_MISCWEB
- security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2936781ghsax_refsource_MISCWEB
- security.snyk.io/vuln/SNYK-JS-GRAPESJS-2935960ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.