I see that any XSS can be stored inside GRAV in pages - is it ok ?!
It is saved and show alerts popup, in the admin panel in the frontend of the site
Thanks for this.
Within Admin, by trusted users, this is no issue. Have you found a way to exploit any forms that random Mallories from the public can input? That would be a concern.
It is not normal for sure, i donβt recommend using that admin panel at all, itβs full of vulnerabilities.
How can you compromise the site from doing that? I genuinely donβt understand.
I understand that an attacker (who must first obtain admin access) can generate some arbitrary Javascript, but so what and then what?
This is a known attack-vector, and not related to Grav itself. Any person given editor-access to pages must be trusted to not abuse this privilege, and the Admin-interface is not written to be a publicly accessible notepad. The Admin-plugin is as vulnerable as you make it, and can easily be locked down to be as secure as any other editor.
That said, writing a plugin or pull request to the Admin-repo that allows cleaning up JS- or specific HTML-code is possible. TemplateMonster, apart from being a blatant advertisement for overpriced themes, does not appear to have any security-features that prohibit such abuse β and rely entirely on templates for Wordpress, Joomla, Drupal and Moto, all demonstrably less secure that Gravβs Admin-plugin.
Lastly, if you are truly concerned about XSS-attacks, or any other vulnerabilities in Admin, there is absolutely no reason why you have to have it installed on a live website. Many users of Grav prefer to use Admin locally or on a staging-environment to simply eliminate such concerns altogether.