I see that any XSS can be stored inside GRAV in pages - is it ok ?!
It is saved and show alerts popup, in the admin panel in the frontend of the site
Hello!
Thanks for this.
Within Admin, by trusted users, this is no issue. Have you found a way to exploit any forms that random Mallories from the public can input? That would be a concern.
It is not normal for sure, i donβt recommend using that admin panel at all, itβs full of vulnerabilities.
How can you compromise the site from doing that? I genuinely donβt understand.
I understand that an attacker (who must first obtain admin access) can generate some arbitrary Javascript, but so what and then what?
This is a known attack-vector, and not related to Grav itself. Any person given editor-access to pages must be trusted to not abuse this privilege, and the Admin-interface is not written to be a publicly accessible notepad. The Admin-plugin is as vulnerable as you make it, and can easily be locked down to be as secure as any other editor.
That said, writing a plugin or pull request to the Admin-repo that allows cleaning up JS- or specific HTML-code is possible. TemplateMonster, apart from being a blatant advertisement for overpriced themes, does not appear to have any security-features that prohibit such abuse β and rely entirely on templates for Wordpress, Joomla, Drupal and Moto, all demonstrably less secure that Gravβs Admin-plugin.
Lastly, if you are truly concerned about XSS-attacks, or any other vulnerabilities in Admin, there is absolutely no reason why you have to have it installed on a live website. Many users of Grav prefer to use Admin locally or on a staging-environment to simply eliminate such concerns altogether.
1 Like