oro/commerce is vulnerable to cross-site scripting. The vulnerability exists through the grapesjs
dependency used in the library as it does not properly validate the class name in ClassTagView.ts
when it adds to the selector manager, allowing an attacker to inject and execute malicious javascript