jmix icon indicating copy to clipboard operation
jmix copied to clipboard
verified publisher icon jmix-framework

[Port to 1.x] GrapesJsNewsletterHtmlEditor produces HTML with JavaScript code that can be executed in template preview

Open Flaurite opened this issue 5 months ago • 1 comments

Environment

Jmix version: 1.7.1

Bug Description

Support forum discussion: topic.

If the user add a link with the following attribute: href="javascript:alert('1')", it will be executed in the Email Template preview.

Note that in Jmix 2.x by default HTML files are not opened in the web browser but downloaded.

Steps To Reproduce

  1. Add email template add-on
  2. Launch the application
  3. Create template, add "link" element
  4. Edit code of template and add href="javascript:alert('1')" to the link.
  5. Click on preview button
  6. In the opened tab click on the link.

Current Behavior

The JS executed within Jmix application:

Image

Expected Behavior

The JS code should not be executed within Jmix application. The HTML can be downloaded or we should sanitize HTML.

Flaurite avatar Sep 29 '25 09:09 Flaurite

For future assignee: create an issue for 2.x

glebfox avatar Oct 03 '25 07:10 glebfox