BUG: Component attributes data not sanitized properly leading to self XSS

### GrapesJS version

- [x] I confirm to use the latest version of GrapesJS

### GrapesJS MJML version

- [x] I confirm to use the latest version of GrapesJS MJML

### What browser are you using?

Chrome 126

### Reproducible demo link

https://grapesjs.com/demo-mjml.html

### Describe the bug

**How to reproduce the bug?**
1. Go to https://grapesjs.com/demo-mjml.html
2. Select any component
3. Set component's `id` attribute's value to `123"></div><img src=x onerror=alert(1)>123`

**What is the expected behavior?**
... The XSS code in the attribute's value should be sanitized and removed.

**What is the current behavior?**
... The XSS code executes and triggers an alert(as seen in [this video](https://www.awesomescreenshot.com/video/36344718?key=612a5a9d7644eb6c4d2f835a86a197d3)). This happens only with GrapesJS MJML node module. With core GrapesJS editor the issue doesn't occur as seen [here](https://i.ibb.co/4ZwYsKDY/Peek-2025-02-07-14-34.gif) on core editor demo site.

### Code of Conduct

- [x] I agree to follow this project's Code of Conduct

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

BUG: Component attributes data not sanitized properly leading to self XSS #391

GrapesJS version

GrapesJS MJML version

What browser are you using?

Reproducible demo link

Describe the bug

Code of Conduct

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

BUG: Component attributes data not sanitized properly leading to self XSS #391

Description

GrapesJS version

GrapesJS MJML version

What browser are you using?

Reproducible demo link

Describe the bug

Code of Conduct

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions