GHSA-3h6j-9x8m-rg3g: Graby has stored XSS via iframe srcdoc Attribute in htmLawed Sanitization Config

March 31, 2026

Graby’s cleanupXss() function configures htmLawed with conflicting settings: safe=1 (which removes <iframe>) combined with 'elements' => '*+iframe-meta' (which re-enables <iframe>). htmLawed does not sanitize the srcdoc attribute, allowing injection of arbitrary JavaScript that executes when the content is rendered via |raw in templates.

References

github.com/advisories/GHSA-3h6j-9x8m-rg3g
github.com/j0k3r/graby
github.com/j0k3r/graby/commit/0295d828822f7a59c5751a8199973a4f965a99b0
github.com/j0k3r/graby/releases/tag/2.5.1
github.com/j0k3r/graby/security/advisories/GHSA-3h6j-9x8m-rg3g

Code Behaviors & Features

Detect and mitigate GHSA-3h6j-9x8m-rg3g with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →