Template HTML Injection

adnan.khan · September 17, 2025, 4:36am

Hi,

This vulnerability occurs when a web application allows users to input HTML content (such as
in an email template) without proper validation or sanitization, leading to the execution of
injected malicious HTML or JavaScript.

I have tried in the class JsonEmailTemplateEdit on onPreCommit when data is getting saved to override and check HTML sanitization but in exlude entitites there is nothing such HTML getting found any other way to check HTML sanitization before saving details.

Screenshot from 2025-09-17 09-57-11

pinyazhin · September 17, 2025, 8:45am

Hello,

Thank you for reporting a problem! I tried to reproduce your case, but javascript is not executed in the editor. Could you clarify where this is executed?

The result HTML is saved in JsonEmailTemplate entity. It contains the html property. You can check it in onPreCommit method. Or you can override the component to get/set already sanitized values. For instance:

ExtGrapesJsNewsletterHtmlEditorImpl.class

public class ExtGrapesJsNewsletterHtmlEditorImpl extends GrapesJsNewsletterHtmlEditorImpl {

    @Override
    public String getValue() {
        String value = super.getValue();

        return sanitize(value);
    }

    @Override
    public void setValue(String value) {
        String sanitized = sanitize(value);

        super.setValue(sanitized);
    }
}

And component registration:

@Bean
public ComponentRegistration extGrapesJsNewsletterHtmlEditorImpl() {
    return ComponentRegistrationBuilder.create(GrapesJsNewsletterHtmlEditor.NAME)
            .withComponentClass(ExtGrapesJsNewsletterHtmlEditorImpl.class)
            .withComponentLoaderClass(GrapesJsNewsletterHtmlEditorLoader.class)
            .build();
}

Pay attention that you should check how the default sanitizer will work with template parameters.

adnan.khan · September 18, 2025, 1:40pm

Hi,

I had checked with the shared solution but it is not working as we are getting text in form of HTML
Regex is trying to match the pattern inside the actual HTML attribute, but the input string is HTML-encoded.
So when we Decode the HTML entities first, then apply the regex to the decoded string. on Email template screen black or empty screen is displayed also we again click on side panel to add text it is not in clickable mode nothing action happens.

<div style=\"padding:10px\"><p><a href="javascript:alert('XSS')"/>Click Here</a></p></div>
Screenshot from 2025-09-18 19-09-16

pinyazhin · September 24, 2025, 5:52am

Hi Adnan,

could you share a demo project that reproduces your problem with HTML?. Also, could you clarify where in the application the defined JS code in email template is executed?

adnan.khan · September 26, 2025, 6:57am

screen-4.1
screen-3.1
screen-2
screen-1

Attached is the steps where user is able to execute the script/

pinyazhin · September 29, 2025, 9:41am

Thank you for sharing the steps to reproduce the problem!

I’ve created a GitHub issue: GrapesJsNewsletterHtmlEditor produces HTML with JavaScript code that can be executed in template preview · Issue #4759 · jmix-framework/jmix · GitHub