Any XSS code can be stored?


I see that any XSS can be stored inside GRAV in pages - is it ok ?!
It is saved and show alerts popup, in the admin panel in the frontend of the site

Thanks for this.

Within Admin, by trusted users, this is no issue. Have you found a way to exploit any forms that random Mallories from the public can input? That would be a concern.

It is not normal for sure, i don’t recommend using that admin panel at all, it’s full of vulnerabilities.

Pages list

How can you compromise the site from doing that? I genuinely don’t understand.

I understand that an attacker (who must first obtain admin access) can generate some arbitrary Javascript, but so what and then what?

This is a known attack-vector, and not related to Grav itself. Any person given editor-access to pages must be trusted to not abuse this privilege, and the Admin-interface is not written to be a publicly accessible notepad. The Admin-plugin is as vulnerable as you make it, and can easily be locked down to be as secure as any other editor.

That said, writing a plugin or pull request to the Admin-repo that allows cleaning up JS- or specific HTML-code is possible. TemplateMonster, apart from being a blatant advertisement for overpriced themes, does not appear to have any security-features that prohibit such abuse – and rely entirely on templates for Wordpress, Joomla, Drupal and Moto, all demonstrably less secure that Grav’s Admin-plugin.

Lastly, if you are truly concerned about XSS-attacks, or any other vulnerabilities in Admin, there is absolutely no reason why you have to have it installed on a live website. Many users of Grav prefer to use Admin locally or on a staging-environment to simply eliminate such concerns altogether.

1 Like