fix(deps): update dependency tinymce to v7 [security] #1236
+18
−4
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
^5.10.4
->^7.0.0
Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
GitHub Vulnerability Alerts
CVE-2024-29881
Impact
A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s content loading and content inserting code. A SVG image could be loaded though an
object
orembed
element and that image could potentially contain a XSS payload.Fix
TinyMCE 6.8.1 introduced a new
convert_unsafe_embeds
option to automatically convertobject
andembed
elements respective of theirtype
attribute. From TinyMCE 7.0.0 onwards, theconvert_unsafe_embeds
option is enabled by default.Workarounds
If you are using TinyMCE 6.8.1 or higher, set
convert_unsafe_embeds
to true. For any earlier versions, a custom NodeFilter is recommended to remove or modify anyobject
orembed
elements. This can be added using theeditor.parser.addNodeFilter
andeditor.serializer.addNodeFilter
APIs.Acknowledgements
Tiny Technologies would like to thank Toni Huttunen of Fraktal Oy for discovering this vulnerability.
References
CVE-2024-29203
Impact
A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s content insertion code. This allowed
iframe
elements containing malicious code to execute when inserted into the editor. Theseiframe
elements are restricted in their permissions by same-origin browser protections, but could still trigger operations such as downloading of malicious assets.Fix
TinyMCE 6.8.1 introduced a new
sandbox_iframes
boolean option which adds thesandbox=""
attribute to everyiframe
element by default when enabled. This will prevent cross-origin, and in special cases same-origin, XSS by embedded resources iniframe
elements. From TinyMCE 7.0.0 onwards the default value of this option istrue
.In TinyMCE 7.0.0 a new
sandbox_iframes_exclusions
option was also added, allowing a list of domains to be specified that should be excluded from having thesandbox=""
attribute applied when thesandbox_iframes
option is enabled. By default, this option is set to an array of domains that are provided in embed code by popular websites. To sandboxiframe
elements from every domain, set this option to[]
.Workarounds
The HTTP Content-Security-Policy (CSP)
frame-src
orobject-src
can be configured to restrict or block the loading of unauthorized URLS. Refer to the TinyMCE Content Security Policy Guide.References
CVE-2024-38356
Impact
A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s content extraction code. When using the
noneditable_regexp
option, specially crafted HTML attributes containing malicious code were able to be executed when content was extracted from the editor.Patches
This vulnerability has been patched in TinyMCE 7.2.0, TinyMCE 6.8.4 and TinyMCE 5.11.0 LTS by ensuring that, when using the
noneditable_regexp
option, any content within an attribute is properly verified to match the configured regular expression before being added.Fix
To avoid this vulnerability:
References
For more information
If you have any questions or comments about this advisory:
CVE-2024-38357
Impact
A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s content parsing code. This allowed specially crafted noscript elements containing malicious code to be executed when that content was loaded into the editor.
Patches
This vulnerability has been patched in TinyMCE 7.2.0, TinyMCE 6.8.4 and TinyMCE 5.11.0 LTS by ensuring that content within noscript elements are properly parsed.
Fix
To avoid this vulnerability:
Acknowledgements
Tiny thanks Malav Khatri and another reporter for their help identifying this vulnerability.
References
For more information
If you have any questions or comments about this advisory:
Release Notes
tinymce/tinymce (tinymce)
v7.0.0
Compare Source
Added
license_key
option that must be set togpl
or a valid license key. #TINY-10681sandbox_iframes_exclusions
option that holds a list of URL host names to be excluded from iframe sandboxing whensandbox_iframes
is set totrue
. #TINY-10350valid_children
option and Schema.addValidChildren API. #TINY-9979trigger
property for block text pattern configurations, allowing pattern activation with either Space or Enter keys. #TINY-10324data
is now a valid element in the Schema. #TINY-10611Improved
ToolbarButton
andToolbarToggleButton
. #TINY-10487collection
which is rendered inside a dialog, on mouse hover and keyboard focus. #TINY-9637Changed
convert_unsafe_embeds
editor option is now defaulted totrue
. #TINY-10351sandbox_iframes
editor option is now defaulted totrue
. #TINY-10350highlight_on_focus
option now defaults to true, adding a focus outline to every editor. #TINY-10574tox-view__pane
hasposition: relative
instead ofstatic
. #TINY-10561table
plugin cell dialog. Thetable
plugin row dialog now controls the row height by setting the height on thetr
element, not thetd
elements. #TINY-10617td
/th
elements and only apply totr
elements. #TINY-10589aria-placeholder
attribute from editor body whenplaceholder
option is set. #TINY-10452tooltip
property for dialog's footertogglebutton
is now optional. #TINY-10672media_url_resolver
option to use promises. #TINY-9154Styles
bespoke toolbar button fallback changed toFormats
ifParagraph
is not configured instyle_formats
option. #TINY-10603Removed
force_hex_color
option, with the default now being all colors are forced to hex format as lower case. #TINY-10436remove_trailing_brs
option from DomParser. #TINY-10454title
attribute on buttons with visible label. #TINY-10453InsertOrderedList
andInsertUnorderedList
commands from core, these now only exist in thelists
plugin. #TINY-10644closeButton
from the notification API, close buttons in notifications are now required. #TINY-10646ch
configuration property has been removed. Use thetrigger
property instead. #TINY-8929template
plugin. #TINY-10654Fixed
summary
element when the caret was positioned between words. #TINY-10312blur
event as expected. #TINY-10310table_class_list
. Also fixed being forced to pick the first class option. #TINY-6653List Properties...
in the context menu. #TINY-10490link_default_target
option wasn't considered when inserting a link viaquicklink
toolbar. #TINY-10439summary
element within adetails
element nested in a list item no longer removes thesummary
element. #TINY-10303event_root
option. #TINY-10433selection.setContent
to insert a block element would throw an unhandled exception. #TINY-10560table_style_by_css
is true, only the border attribute is set to 0 and border-width styling is no longer used. #TINY-10308v6.8.5
Compare Source
v6.8.4
Compare Source
v6.8.3
Compare Source
Changed
Fixed
v6.8.2
Compare Source
Fixed
fontfamily
,fontsize
,blocks
, andstyles
incorrectly used plural words in their accessible names. #TINY-10426align
bespoke select toolbar button had an accessible name that was misleading and grammatically incorrect in certain cases. #TINY-10435align
,fontfamily
,fontsize
,blocks
, andstyles
were incorrectly translated. #TINY-10426 #TINY-10435v6.8.1
Compare Source
Improved
Fixed
schema.isWrapper
andschema.isInline
did not exclude node names that started with#
which should not be considered as elements. #TINY-10385v6.8.0
Compare Source
Added
StylesheetLoader.loadRawCss
API that can be used to load CSS into a style element. #TINY-10352StylesheetLoader.unloadRawCss
API that can be used to unload CSS that was loaded into a style element. #TINY-10352force_hex_color
editor option. Option'always'
converts all RGB & RGBA colours to hex,'rgb_only'
will only convert RGB and not RGBA colours to hex,'off'
won't convert any colours to hex. #TINY-9819default_font_stack
editor option that makes it possible to define what is considered a system font stack. #TINY-10290sandbox_iframes
option that controls whether iframe elements will be added asandbox=""
attribute to mitigate malicious intent. #TINY-10348convert_unsafe_embeds
option that controls whether<object>
and<embed>
elements will be converted to more restrictive alternatives, namely<img>
for image MIME types,<video>
for video MIME types,<audio>
audio MIME types, or<iframe>
for other or unspecified MIME types. #TINY-10349Improved
size: 'large'
argument in the dialog spec. #TINY-10209align
,fontfamily
,fontsize
,blocks
, andstyles
did not include their visible text labels in their accessible names. #TINY-10147Fixed
setProgressState
API would cause the window to be scrolled when the editor wasn't fully visible. #TINY-10172summary
element extended its application to the content of the parentdetails
element. #TINY-10154forecolor
andbackcolor
buttons. #TINY-9796addIcon
API documentation. #TINY-10230size
argument was changed when redialling a dialog. #TINY-10209contenteditable="true"
attribute within a table cell would not be treated as content and get removed if backspace or delete was being pressed. #TINY-10010details
element would incorrectly merge its content. #TINY-10133getModifierState
did not work on events passed through the editor as expected. #TINY-10263async
for editor rendering which caused visual blinking when reloading the editor in-place. #TINY-10249p
inside alist
via delete or backspace would incorrectly try to move a parent element inside a child element. #TINY-10289accordion
block. #TINY-10291fontsizeinput
toolbar item was causing console warnings when toolbar items were clicked. #TINY-10330li
via enter inside a nested list would not inherit styles from the sourceli
. #TINY-10316v6.7.3
Compare Source
Changed
setContent
,insertContent
, andresetContent
APIs. #TINY-10305Fixed
getContent
andsetContent
APIs with theformat: 'raw'
option, which also affected theresetContent
API and the draft restoration feature of the Autosave plugin. #TINY-10305v6.7.2
Compare Source
Fixed
getModifierState
did not work on events passed through the editor as expected. #TINY-10263async
for editor rendering which caused visual blinking when reloading the editor in-place. #TINY-10249accordion
toggling with the Enter key press would behave incorrectly on Safari. #TINY-10177v6.7.1
Compare Source
Fixed
getContent
andsetContent
APIs with theformat: 'raw'
option, which also affected theresetContent
API and the draft restoration feature of the Autosave plugin. #TINY-10236v6.7.0
Compare Source
Added
help_accessibility
option displays the keyboard shortcut to open the in-application help in the status bar. #TINY-9379InsertNewBlockBefore
command which inserts an empty block before the block containing the current selection. #TINY-10022InsertNewBlockAfter
command which inserts an empty block after the block containing the current selection. #TINY-10022Improved
Changed
UndoLevelType
fromenum
to union type so that it is easier to use. #TINY-9764Fixed
<div>
elements only created a partial list. #TINY-9872iframe
dialog components. #TINY-9815<details>
element if it was nested within another<details>
element. #TINY-9965<li>
elements that only contained<br>
tags sometimes caused a crash. #TINY-6888<summary>
element from a<details>
element by dragging and dropping. #TINY-9960<summary>
elements if content containing block elements was dragged-and-dropped inside them. #TINY-9960<script>
tags in the editor body to<image>
tags. #TINY-10007<details>
element when it is the first or last content element. Pressing the Up or Down arrow key now inserts a block element before or after the<details>
element. #TINY-9827contenteditable="true"
attribute within a noneditable root was deleted when the Backspace key was pressed. #TINY-10011color_cols
option was not respected when set to the value 5 with a customcolor_map
specified. #TINY-10126<summary>
element removed the entire<details>
element if it had no other content. #TINY-10123v6.6.2
Compare Source
Fixed
streamContent: true
iframe dialog component. #TINY-10128v6.6.1
Compare Source
Added
pad_empty_with_br
. Set totrue
to pad empty block elements with<br>
tags instead of the
character entity. #TINY-9861Improved
streamContent: true
set are now throttled to 500ms intervals. #TINY-10097Changed
Fixed
streamContent: true
iframe dialog component. #TINY-10078streamContent: true
was set. #TINY-10109streamContent: true
iframe dialog component with content lacking an HTML document type declaration. #TINY-10110iframe
dialog components did not highlight when focused. #TINY-10101color_cols
option was not respected when a customcolor_map
was defined. #TINY-10098color_cols
options were were not rounded to the nearest number when set to a decimal number. #TINY-9737v6.6.0
Compare Source
Added
bottom
— for inline dialog configurations that anchors the dialog to the bottom of the editor. #TINY-9888persistent
— for inline dialog configurations that will stop the dialog closing when clicking away from it. #TINY-9991ai
,ai-prompt
andsend
icons. #TINY-9942streamContent
— for theiframe
dialog component. This causessetData()
to update content without reloading the frame, and end scroll positions will be maintained as new content streams in. #TINY-10032border
— for theiframe
dialog component that allows a border to be added. #TINY-10049align
— for the label dialog component that controls text alignment. #TINY-10058Improved
iframe
dialog component now has a minimum height of 200px. #TINY-10059ui_mode: 'split'
option is set. #TINY-9385Changed
alertbanner
dialog component is no longer clickable if the URL field is not specified. #TINY-10013Fixed
size
setting to have no effect. #TINY-10015v6.5.1
Compare Source
Fixed
v6.5.0
Compare Source
Added
h
hash parameter in Vimeo video URLs in the Media plugin. #TINY-9830table_merge_content_on_paste
option which disables the merging behaviour when pasting a table inside an existing table. #TINY-9808defaultExpandedIds
andonToggleExpand
options to thetree
component config. #TINY-9653defaultSelectedId
option to thetree
component config. #TINY-9715accordion
plugin with theInsertAccordion
command. #TINY-9730accordion
andaccordion-toggle
icons. #TINY-9789details_initial_state
anddetails_serialized_state
options. #TINY-9732init_content_sync
option that initializes the editor iframe usingdocument.write
instead ofsrcdoc
. #TINY-9818newdocument_content
option that sets the content presented in the editor on choosing File -> New document or pressing the New document toolbar button. #TINY-9839editable_root
option that can be set tofalse
to prevent editing of the editor’s root element. #TINY-9839editor.setEditableRoot
API that sets the editable state of the editor root element. #TINY-9839editor.hasEditableRoot
API that returnstrue
orfalse
depending on the editable state of the editor root element. #TINY-9839EditableRootStateChange
event that gets dispatched when the state of the editable root is changed. #TINY-9839dl
,dt
,dd
,ol
, andstrong
elements in dialog body content. #TINY-9919Improved
icon
field for a dialog’s footertogglebutton
is no longer mandatory. #TINY-9757contenteditable="false"
attribute. #TINY-9669codesample
plugin dialog and thetemplate
plugin dialog to use thelistbox
component to match other dialogs. #TINY-9630dataTransfer
property of drag and drop events for elements with acontenteditable="false"
attribute. #TINY-9601tabpanel
tab labels are now allowed to word wrap for better readability with long labels. #TINY-9947details
elements in the output HTML. #TINY-9959summary
elements so that they can be properly edited. #TINY-9959Changed
caption
,address
anddt
elements no longer incorrectly allow non-inline child elements when the editor schema is set to HTML 4. #TINY-9768class
instead ofid
to identify SVG elements that should change color. #TINY-9844<a>
— no longer incorrectly allow non-inline child elements when the editor schema is set to HTML 4. #TINY-9805medium
width for better readability. #TINY-9947Fixed
tree
component, a selected item in a directory would not stay selected after collapsing the directory. #TINY-9715contenteditable="false"
attribute set. #TINY-9664contenteditable="false"
attribute set in a root with acontenteditable="false"
attribute set. #TINY-9460media
plugin dialog. #TINY-8714<br>
tag. #TINY-9696media
plugin dialog by converting the Media Embed element to a standalone iframe. #TINY-8714advlist
plugin buttons. #TINY-9680dir
attribute on elements with acontenteditable="false"
attribute set when these elements were within a root with acontenteditable="false"
attribute set. #TINY-9662not-allowed
mouse pointer. #TINY-9758contenteditable="false"
context. #TINY-9678contenteditable="false"
context. #TINY-9678canApply
, was not returningfalse
when the selection was in acontenteditable="false"
context. #TINY-9678dragend
event would sometimes not fire when Firefox was the host browser. #TINY-9694unlink
editor command. #TINY-9739direction
CSS property set. #TINY-9314contenteditable
attribute set tofalse
. #TINY-9565beforeinput
andinput
events. #TINY-9829blockquote
element could fail when the insertion point was positioned at the end of theblockquote
. #TINY-9794<html>
tag were not parsed before being rendered for preview. #TINY-9867aria-describedby
attribute caused the dialog body to be announced when using a screen reader. #TINY-9816toolbar_location: 'bottom'
. #TINY-9718details
element resulted in broken markup. #TINY-9884contenteditable="false"
attribute. #TINY-9823details
elements. #TINY-9885v6.4.2
Compare Source
Fixed
urlinput
dialog component would not open the type-ahead dropdown when the input value was reset to an empty string. #TINY-9717tox-button
andtox-button-secondary
buttons now support thehover
,active
,focus
, anddisabled
states. #TINY-9713fontsizeinput
changed it to the default value instead of reverting it to the previous, and valid, value. #TINY-9754selection.scrollIntoView
API. #TINY-9747quickimage
toolbar button failed to insert images selected from the local computer when running on Google Chrome for macOS. #TINY-9769v6.4.1
Compare Source
Fixed
fontsizeinput
increase and decrease size buttons now work on TinyMCE mobile. #TINY-9725v6.4.0
Compare Source
Added
tree
component that can be used in dialog body panel. #TINY-9532renderUI
property in theTheme
type can now return aPromise<RenderResult>
instead ofRenderResult
. #TINY-9556isEditable
API toeditor.selection
that returns true or false if the current selection is editable. #TINY-9462isEditable
API toeditor.dom
that returns true or false if the specified node is editable. #TINY-9462setText
andsetIcon
methods added to menu button and toolbar button API. #TINY-9268highlight_on_focus
option which enables highlighting the content area on focus. #TINY-9277fontsizeinput
toolbar item which allows the user to set the size via input and also increase and decrease it with+
and-
buttons. #TINY-9429skipFocus
option to theToggleToolbarDrawer
command to preserve focus. #TINY-9337font_size_input_default_unit
option allows entry of numbers without a unit infontsizeinput
. They are then parsed as the set unit. Iffont_size_input_default_unit
is not set the default ispt
. #TINY-9585group
andtogglebutton
in view. #TINY-9523togglebutton
in dialog footer buttons. #TINY-9523toggleFullscreen
to dialog API. #TINY-9528text-size-increase
andtext-size-decrease
icons. #TINY-9530xss_sanitization
option to allow disabling of XSS sanitization. #TINY-9600ui_mode
option for editor in scrollable containers support. #TINY-9414region
when visible and the accessibility rolepresentation
when hidden. #TINY-9517tox-custom-editor
class now has a border highlight when it is selected. #TINY-9673contenteditable="false"
attribute. #TINY-9364Improved
inputfontsize
input field now moves focus back into the editor content. #TINY-9598contenteditable="false"
attribute now includes target element details. #TINY-9599Changed
link
plugins context menu items no longer appears for links that include elements with acontenteditable="false"
attribute. #TINY-9491contenteditable="false"
attribute are no longer cloned to new cells when new table rows are created. #TINY-9449@dialog-table-border-color
, and added right padding to the first cell of dialog table. #TINY-9380Fixed
searchreplace
modal closed incorrectly when clicking outside of the alert that pops up when no match is found. #TINY-9443onSetup
api function would not run when defining custom group toolbar button. #TINY-9496setIconFill
function toNestedMenuItemInstanceApi
. #TINY-9497advlist
plugin now show the correct state when the cursor is in a checklist. #TINY-5167editor.insertContent
API would insert contents inside elements with acontenteditable="false"
attribute if the selection was inside the element. #TINY-9462contenteditable="false"
attribute. #TINY-9305contenteditable="false"
attribute was possible if they were within an element with acontenteditable="false"
attribute. #TINY-9473contenteditable="false"
attribute. #TINY-9474contenteditable="false"
attribute as their root were incorrectly editable using list API commands, toolbar buttons and menu items. #TINY-9458#
character. #TINY-9457contenteditable="false"
attribute. #TINY-9459contenteditable="false"
attribute. #TINY-9459contenteditable="false"
attribute and for tables within an element with acontenteditable="false"
attribute. #TINY-9459contenteditable="false"
attribute. #TINY-9470contenteditable="false"
attribute. #TINY-9471onAction
callback. #TINY-9504ForwardDelete
andDelete
editor commands were deleting content within elements with acontenteditable="false"
attribute. #TINY-9477contenteditable="false"
attribute. #TINY-9477contenteditable="false"
attribute root would sometimes try to split the editable element. #TINY-9461contenteditable="false"
attribute on table borders would remove the element on drop. #TINY-9021contenteditable="false"
attribute would be removed when dragged and dropped within a root element with acontenteditable="false"
attribute. #TINY-9558contenteditable="false"
attribute that were inside an element with acontenteditable="false"
attribute. #TINY-9563fixed
orabsolute
positioned element. #TINY-9554color_cols
option was not respected in theforecolor
orbackcolor
color swatches. #TINY-9560contenteditable="false"
attribute out of its parent block would not properly pad the parent block element. #TINY-9606text_patterns
produced an invisible space before a word. #TINY-9603color_cols
or other column option was set to 0. #TINY-9649more...
toolbar button disappeared if the editor hadtoolbar_mode: 'sliding'
and the toolbar was opened. #TINY-9419autoresize
plugin would cause infinite resizing whencontent_css
was set todocument
. #TINY-8872v6.3.2
Compare Source
Fixed
v6.3.1
Compare Source
Fixed
WindowManager.alert
andWindowManager.confirm
APIs were not properly sanitized. #TINY-3548v6.3.0
Compare Source
Added
expand
function added totinymce.selection
which expands the selection around the nearest word. #TINY-9001expand
function added totinymce.dom.RangeUtils
to return a new range expanded around the nearest word. #TINY-9001color_map_background
andcolor_map_foreground
options which set the base colors used in thebackcolor
andforecolor
toolbar buttons and menu items. #TINY-9184storageKey
property tocolorinput
component andcolorswatch
fancy menu item. #TINY-9184addView
function added toeditor.ui.registry
which makes it possible to register custom editor views. #TINY-9210ToggleView
command which makes it possible to hide or show registered custom views. #TINY-9210color_default_foreground
andcolor_default_background
options to set the initial default color for theforecolor
andbackcolor
toolbar buttons and menu items. #TINY-9183getTransparentElements
function added totinymce.html.Schema
to return a map object of transparent HTML elements. #TINY-9172ToggleToolbarDrawer
event to subscribe to toolbar’s opening and closing. #TINY-9271Changed
setContent
is now allowed to accept any custom keys and values as a second options argument. #TINY-9143Improved
Fixed
getContent
API. #TINY-9186tinymce-5
skin. #TINY-9108editor.selection.getContent({ format: 'text' })
oreditor.getContent({ format: 'text' })
would sometimes deselect selected radio buttons. #TINY-9213quickbars
plugin showed when the cursor was in a fake block caret. #TINY-9190editor.selection.getRng()
API was not returning a proper range on hidden editors in Firefox. #TINY-9259editor.selection.getBookmark()
API was not returning a proper bookmark on hidden editors in Firefox. #TINY-9259contenteditable="false"
attribute. #TINY-9194tinymce.dom.styleSheetLoader
was not affected by thecontent_css_cors
option. #TINY-6037mceInsertContent
command on Enter key when running on Firefox. #TINY-9193v6.2.0
Compare Source
Added
text_patterns_lookup
option to provide additional text patterns dynamically. #TINY-8778Configuration
📅 Schedule: Branch creation - "" in timezone America/New_York, Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.