The HTML content tool lets users enter arbitrary HTML, including <script> tags and inline event handlers (onerror, onclick, …). This markup is preserved verbatim in both the exported HTML and the saved design JSON. There is no built-in option to strip or sanitize executable content, which creates a stored-XSS risk for any application that renders the editor output in a same-origin context (e.g. a live preview iframe via document.write, or innerHTML without a sanitizer).
safeHtml: true only removes invalid HTML structures — it does not remove <script>, on* handlers, or javascript: URLs, so it cannot be relied on as a security control.
Steps to reproduce:
- Open the editor and drag in an HTML tool block.
- Enter:
< *** img src=x onerror="alert(document.domain)">
<script>alert('xss')</script>
- Call editor.exportHtml(...).
- Observed: the exported html (and the design JSON) still contain the <script> tag and the onerror handler unchanged.
- Rendering that output in a same-origin context executes the script.
Expected behavior
An official, opt-in way to neutralize executable content from the HTML tool, e.g. one of:
A config option such as tools.html.sanitize: true (or a global safeHtml-style flag) that strips <script>, inline on* handlers, and javascript:/data: URLs from HTML-tool blocks.
A documented sanitization hook/callback invoked on HTML-tool input or on exportHtml.
At minimum, explicit documentation stating that HTML-tool output is untrusted and must be sanitized by the host application before rendering.
Environment
Your: https://examples.unlayer.com/email/simple-email/
Our:
Unlayer embed.js 1.235.0
displayMode: 'email'
Integration: direct unlayer.createEditor(...) via embed.js
The HTML content tool lets users enter arbitrary HTML, including <script> tags and inline event handlers (onerror, onclick, …). This markup is preserved verbatim in both the exported HTML and the saved design JSON. There is no built-in option to strip or sanitize executable content, which creates a stored-XSS risk for any application that renders the editor output in a same-origin context (e.g. a live preview iframe via document.write, or innerHTML without a sanitizer).
safeHtml: true only removes invalid HTML structures — it does not remove <script>, on* handlers, or javascript: URLs, so it cannot be relied on as a security control.
Steps to reproduce:
- Open the editor and drag in an HTML tool block.
- Enter:
<script>alert('xss')</script>< *** img src=x onerror="alert(document.domain)">
Expected behavior
An official, opt-in way to neutralize executable content from the HTML tool, e.g. one of:
A config option such as tools.html.sanitize: true (or a global safeHtml-style flag) that strips <script>, inline on* handlers, and javascript:/data: URLs from HTML-tool blocks.
A documented sanitization hook/callback invoked on HTML-tool input or on exportHtml.
At minimum, explicit documentation stating that HTML-tool output is untrusted and must be sanitized by the host application before rendering.
Environment
Your: https://examples.unlayer.com/email/simple-email/
Our:
Unlayer embed.js 1.235.0
displayMode: 'email'
Integration: direct unlayer.createEditor(...) via embed.js