Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cross-Site Scripting in tinymce 7 fix #375

Closed
RGerhardt-Pressmind opened this issue Mar 28, 2024 · 3 comments
Closed

Cross-Site Scripting in tinymce 7 fix #375

RGerhardt-Pressmind opened this issue Mar 28, 2024 · 3 comments

Comments

@RGerhardt-Pressmind
Copy link

Hello, when is the tinymce update coming? Since today the npm update reports an official XSS bug. This would be fixed in tinymce 7.0, but tinymce-angular has not been updated for over a year. Is an update conceivable in the near future?

TinyMCE Cross-Site Scripting (XSS) vulnerability in handling external SVG files through Object or Embed elements - https://github.com/advisories/GHSA-5359-pvf2-pw78

Regards
Robbyn
@danoaky-tiny
Copy link
Contributor

danoaky-tiny commented Apr 2, 2024
edited
Loading

I can't give you an exact date, although it is planned. You can still set cloudChannel to 7 or use TinyMCE version 7 through any of the other methods mentioned in the docs.
You'd also need to set the license_key prop in init, if applicable.

@TobiDimmel
Copy link

For the meantime you could set the convert_unsafe_embeds to true, which was introduced with TinyMCE v6.8.1.
See GitHub advisory for details.

@danoaky-tiny
Copy link
Contributor

This is fixed by #378, which adds TinyMCE 7 as the default cloud channel, amongst other supporting features for it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@TobiDimmel @RGerhardt-Pressmind @danoaky-tiny