A mutation cross-site scripting (mXSS) vulnerability was discovered in TinyMCE’s core undo and redo functionality. When a carefully-crafted HTML snippet passes the XSS sanitisation layer, it is manipulated as a string by internal trimming functions before being stored in the undo stack. If the HTML snippet is restored from the undo stack, the combination of the string manipulation and reparative parsing by either the browser's native DOMParser API (TinyMCE 6) or the SaxParser API (TinyMCE 5) mutates the HTML maliciously, allowing an XSS payload to be executed.
This vulnerability also impacts these related TinyMCE APIs and plugins:
This vulnerability has been patched in TinyMCE 5.10.8 and TinyMCE 6.7.1 by ensuring HTML is trimmed using node-level manipulation instead of string manipulation.
Fix
To avoid this vulnerability:
Upgrade to TinyMCE 5.10.8 or higher for TinyMCE 5.x.
Upgrade to TinyMCE 6.7.1 or higher for TinyMCE 6.x.
Acknowledgements
Tiny Technologies would like to thank Masato Kinugawa of Cure53 for discovering this vulnerability.
A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s Notification Manager API. The vulnerability exploits TinyMCE's unfiltered notification system, which is used in error handling. The conditions for this exploit requires carefully crafted malicious content to have been inserted into the editor and a notification to have been triggered.
When a notification was opened, the HTML within the text argument was displayed unfiltered in the notification. The vulnerability allowed arbitrary JavaScript execution when an notification presented in the TinyMCE UI for the current user. This issue could also be exploited by any integration which uses a TinyMCE notification to display unfiltered HTML content.
Patches
This vulnerability has been patched in TinyMCE 5.10.8 and TinyMCE 6.7.1 by ensuring that the HTML displayed in the notification is sanitized, preventing the exploit.
Fix
To avoid this vulnerability:
Upgrade to TinyMCE 5.10.8 or higher for TinyMCE 5.x.
Upgrade to TinyMCE 6.7.1 or higher for TinyMCE 6.x.
A mutation cross-site scripting (mXSS) vulnerability was discovered in TinyMCE’s core undo/redo functionality and other APIs and plugins. Text nodes within specific parents are not escaped upon serialization according to the HTML standard. If such text nodes contain a special character reserved as an internal marker, they can be combined with other HTML patterns to form malicious snippets. These snippets pass the initial sanitisation layer when the content is parsed into the editor body, but can trigger XSS when the special internal marker is removed from the content and re-parsed. Such mutations occur when serialised HTML content is processed before being stored in the undo stack, or when the following APIs and plugins are used:
This vulnerability has been patched in TinyMCE 6.7.3 by:
ensuring that any unescaped text nodes which contain the special internal marker are emptied before removing the marker from the rest of the HTML, and
removing the special internal marker from content strings passed to Editor.setContent, Editor.insertContent, and Editor.resetContent APIs to prevent them from being loaded into the editor as user-provided content.
Fix
To avoid this vulnerability:
Upgrade to TinyMCE 6.7.3 or higher for TinyMCE 6.x.
Upgrade to TinyMCE 5.10.9 or higher for TinyMCE 5.x.
Acknowledgements
Tiny Technologies would like to thank Masato Kinugawa of Cure53 for discovering this vulnerability.
A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s content loading and content inserting code. A SVG image could be loaded though an object or embed element and that image could potentially contain a XSS payload.
Fix
TinyMCE 6.8.1 introduced a new convert_unsafe_embeds option to automatically convert object and embed elements respective of their type attribute. From TinyMCE 7.0.0 onwards, the convert_unsafe_embeds option is enabled by default.
Workarounds
If you are using TinyMCE 6.8.1 or higher, set convert_unsafe_embeds to true. For any earlier versions, a custom NodeFilter is recommended to remove or modify any object or embed elements. This can be added using the editor.parser.addNodeFilter and editor.serializer.addNodeFilter APIs.
Acknowledgements
Tiny Technologies would like to thank Toni Huttunen of Fraktal Oy for discovering this vulnerability.
A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s content insertion code. This allowed iframe elements containing malicious code to execute when inserted into the editor. These iframe elements are restricted in their permissions by same-origin browser protections, but could still trigger operations such as downloading of malicious assets.
Fix
TinyMCE 6.8.1 introduced a new sandbox_iframes boolean option which adds the sandbox="" attribute to every iframe element by default when enabled. This will prevent cross-origin, and in special cases same-origin, XSS by embedded resources in iframe elements. From TinyMCE 7.0.0 onwards the default value of this option is true.
In TinyMCE 7.0.0 a new sandbox_iframes_exclusions option was also added, allowing a list of domains to be specified that should be excluded from having the sandbox="" attribute applied when the sandbox_iframes option is enabled. By default, this option is set to an array of domains that are provided in embed code by popular websites. To sandbox iframe elements from every domain, set this option to [].
Workarounds
The HTTP Content-Security-Policy (CSP) frame-src or object-src can be configured to restrict or block the loading of unauthorized URLS. Refer to the TinyMCE Content Security Policy Guide.
A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s content extraction code. When using the noneditable_regexp option, specially crafted HTML attributes containing malicious code were able to be executed when content was extracted from the editor.
Patches
This vulnerability has been patched in TinyMCE 7.2.0, TinyMCE 6.8.4 and TinyMCE 5.11.0 LTS by ensuring that, when using the noneditable_regexp option, any content within an attribute is properly verified to match the configured regular expression before being added.
Fix
To avoid this vulnerability:
Upgrade to TinyMCE 7.2.0 or higher.
Upgrade to TinyMCE 6.8.4 or higher for TinyMCE 6.x.
Upgrade to TinyMCE 5.11.0 LTS or higher for TinyMCE 5.x (only available as part of commercial long-term support contract).
A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s content parsing code. This allowed specially crafted noscript elements containing malicious code to be executed when that content was loaded into the editor.
Patches
This vulnerability has been patched in TinyMCE 7.2.0, TinyMCE 6.8.4 and TinyMCE 5.11.0 LTS by ensuring that content within noscript elements are properly parsed.
Fix
To avoid this vulnerability:
Upgrade to TinyMCE 7.2.0 or higher.
Upgrade to TinyMCE 6.8.4 or higher for TinyMCE 6.x.
Upgrade to TinyMCE 5.11.0 LTS or higher for TinyMCE 5.x (only available as part of commercial long-term support contract).
Acknowledgements
Tiny thanks Malav Khatri and another reporter for their help identifying this vulnerability.
tinymce/tinymce (tinymce)
### [`v7.0.0`](https://togithub.com/tinymce/tinymce/blob/HEAD/modules/tinymce/CHANGELOG.md#700---2024-03-20)
[Compare Source](https://togithub.com/tinymce/tinymce/compare/tinymce@6.8.4...7.0.0)
##### Added
- New `license_key` option that must be set to `gpl` or a valid license key. #TINY-10681
- New custom tooltip functionality, tooltip will be shown when hovering with a mouse or with keyboard focus. #TINY-9275
- New `sandbox_iframes_exclusions` option that holds a list of URL host names to be excluded from iframe sandboxing when `sandbox_iframes` is set to `true`. #TINY-10350
- Added 'getAllEmojis' api function to the emoticons plugin. #TINY-10572
- Element preset support for the `valid_children` option and Schema.addValidChildren API. #TINY-9979
- A new `trigger` property for block text pattern configurations, allowing pattern activation with either Space or Enter keys. #TINY-10324
- onFocus callback for CustomEditor dialog component. #TINY-10596
- icons for the import from Word, export to Word and export to PDF premium plugins. #TINY-10612
- `data` is now a valid element in the Schema. #TINY-10611
- More advanced schema config for custom elements. #TINY-9980
- Custom tooltip for autocompleter, now visible on both mouse hover and keyboard focus, except single column cases. #TINY-9638
##### Improved
- Included keyboard shortcut in custom tooltip for `ToolbarButton` and `ToolbarToggleButton`. #TINY-10487
- Improved showing which element has focus for keyboard navigation. #TINY-9176
- Custom tooltips will now show for items in `collection` which is rendered inside a dialog, on mouse hover and keyboard focus. #TINY-9637
- Autocompleter will now work with IMEs. #TINY-10637
- Make table ghost element better reflect height changes when resizing. #TINY-10658
##### Changed
- TinyMCE is now licensed GPL Version 2 or later. #TINY-10578
- `convert_unsafe_embeds` editor option is now defaulted to `true`. #TINY-10351
- `sandbox_iframes` editor option is now defaulted to `true`. #TINY-10350
- The DOMUtils.isEmpty API function has been modified to consider nodes containing only comments as empty. #TINY-10459
- The `highlight_on_focus` option now defaults to true, adding a focus outline to every editor. #TINY-10574
- Delay before the tooltip to show up, from 800ms to 300ms. #TINY-10475
- Now `tox-view__pane` has `position: relative` instead of `static`. #TINY-10561
- Update outbound link for statusbar Tiny logo #TINY-10494
- Remove the height field from the `table` plugin cell dialog. The `table` plugin row dialog now controls the row height by setting the height on the `tr` element, not the `td` elements. #TINY-10617
- Change table height resizing handling to remove heights from `td`/`th` elements and only apply to `tr` elements. #TINY-10589
- Removed incorrect `aria-placeholder` attribute from editor body when `placeholder` option is set. #TINY-10452
- The `tooltip` property for dialog's footer `togglebutton` is now optional. #TINY-10672
- Changed the `media_url_resolver` option to use promises. #TINY-9154
- `Styles` bespoke toolbar button fallback changed to `Formats` if `Paragraph` is not configured in `style_formats` option. #TINY-10603
- Updated deprecation/removed console message. #TINY-10694
##### Removed
- Deprecated `force_hex_color` option, with the default now being all colors are forced to hex format as lower case. #TINY-10436
- Deprecated `remove_trailing_brs` option from DomParser. #TINY-10454
- `title` attribute on buttons with visible label. #TINY-10453
- `InsertOrderedList` and `InsertUnorderedList` commands from core, these now only exist in the `lists` plugin. #TINY-10644
- `closeButton` from the notification API, close buttons in notifications are now required. #TINY-10646
- The autocompleter `ch` configuration property has been removed. Use the `trigger` property instead. #TINY-8929
- Deprecated `template` plugin. #TINY-10654
##### Fixed
- When deleting the last row in a table, the cursor would jump to the first cell (top left), instead of moving to the next adjacent cell in some cases. #TINY-6309
- Heading formatting would be partially applied to the content within the `summary` element when the caret was positioned between words. #TINY-10312
- Moving focus to the outside of the editor after having clicked a menu would not fire a `blur` event as expected. #TINY-10310
- Autocomplete would sometimes cause corrupt data when starting during text composition. #TINY-10317
- Inline mode with persisted toolbar would show regardless of the skin being loaded, causing css issues. #TINY-10482
- Table classes couldn't be removed via setting an empty value in `table_class_list`. Also fixed being forced to pick the first class option. #TINY-6653
- Directly right clicking on a ol's li in FireFox didn't enable the button `List Properties...` in the context menu. #TINY-10490
- The `link_default_target` option wasn't considered when inserting a link via `quicklink` toolbar. #TINY-10439
- When inline editor toolbar wrapped to multiple lines the top wasn't always calculated correctly. #TINY-10580
- Removed manually dispatching dragend event on drop in Firefox. #TINY-10389
- Slovenian help dialog content had a dot in the wrong place. #TINY-10601
- Pressing Backspace at the start of an empty `summary` element within a `details` element nested in a list item no longer removes the `summary` element. #TINY-10303
- The toolbar width was miscalculated for the inline editor positioned inside a scrollable container. #TINY-10581
- Fixed incorrect object processor for `event_root` option. #TINY-10433
- Adding newline after using `selection.setContent` to insert a block element would throw an unhandled exception. #TINY-10560
- Floating toolbar buttons in inline editor incorrectly wrapped into multiple rows on window resizing or zooming. #TINY-10570
- When setting table border width and `table_style_by_css` is true, only the border attribute is set to 0 and border-width styling is no longer used. #TINY-10308
- Clicking to the left or right of a non-editable div in Firefox would show two cursors. #TINY-10314
### [`v6.8.4`](https://togithub.com/tinymce/tinymce/compare/6.8.3...tinymce@6.8.4)
[Compare Source](https://togithub.com/tinymce/tinymce/compare/6.8.3...tinymce@6.8.4)
### [`v6.8.3`](https://togithub.com/tinymce/tinymce/blob/HEAD/modules/tinymce/CHANGELOG.md#683---2024-02-08)
[Compare Source](https://togithub.com/tinymce/tinymce/compare/6.8.2...6.8.3)
##### Changed
- Update outbound TinyMCE website links. #TINY-10491
##### Fixed
- The floating toolbar would not be fully visible when the editor was placed inside a scrollable container. #TINY-10335
- ShadowDOM skin was not loaded properly when used with js bundling feature. #TINY-10451
### [`v6.8.2`](https://togithub.com/tinymce/tinymce/blob/HEAD/modules/tinymce/CHANGELOG.md#682---2023-12-11)
[Compare Source](https://togithub.com/tinymce/tinymce/compare/6.8.1...6.8.2)
##### Fixed
- Bespoke select toolbar buttons including `fontfamily`, `fontsize`, `blocks`, and `styles` incorrectly used plural words in their accessible names. #TINY-10426
- The `align` bespoke select toolbar button had an accessible name that was misleading and grammatically incorrect in certain cases. #TINY-10435
- Accessible names of bespoke select toolbar buttons including `align`, `fontfamily`, `fontsize`, `blocks`, and `styles` were incorrectly translated. #TINY-10426 #TINY-10435
- Clicking inside table cells with heavily nested content could cause the browser to hang. #TINY-10380
- Toggling a list that contains an LI element having another list as its first child would remove the remaining content within that LI element. #TINY-10414
### [`v6.8.1`](https://togithub.com/tinymce/tinymce/blob/HEAD/modules/tinymce/CHANGELOG.md#681---2023-11-29)
[Compare Source](https://togithub.com/tinymce/tinymce/compare/6.8.0...6.8.1)
##### Improved
- Colorpicker now includes the Brightness/Saturation selector and hue slider in the keyboard navigable items. #TINY-9287
##### Fixed
- Translation syntax for announcement text in the table grid was incorrectly formatted. #TINY-10141
- The functions `schema.isWrapper` and `schema.isInline` did not exclude node names that started with `#` which should not be considered as elements. #TINY-10385
### [`v6.8.0`](https://togithub.com/tinymce/tinymce/blob/HEAD/modules/tinymce/CHANGELOG.md#680---2023-11-22)
[Compare Source](https://togithub.com/tinymce/tinymce/compare/6.7.3...6.8.0)
##### Added
- CSS files are now also generated as separate JS files to improve bundling of all resources. #TINY-10352
- Added new `StylesheetLoader.loadRawCss` API that can be used to load CSS into a style element. #TINY-10352
- Added new `StylesheetLoader.unloadRawCss` API that can be used to unload CSS that was loaded into a style element. #TINY-10352
- Added `force_hex_color` editor option. Option `'always'` converts all RGB & RGBA colours to hex, `'rgb_only'` will only convert RGB and *not* RGBA colours to hex, `'off'` won't convert any colours to hex. #TINY-9819
- Added `default_font_stack` editor option that makes it possible to define what is considered a system font stack. #TINY-10290
- New `sandbox_iframes` option that controls whether iframe elements will be added a `sandbox=""` attribute to mitigate malicious intent. #TINY-10348
- New `convert_unsafe_embeds` option that controls whether `
This PR contains the following updates:
5.10.0->7.0.0GitHub Vulnerability Alerts
CVE-2023-45818
Impact
A mutation cross-site scripting (mXSS) vulnerability was discovered in TinyMCE’s core undo and redo functionality. When a carefully-crafted HTML snippet passes the XSS sanitisation layer, it is manipulated as a string by internal trimming functions before being stored in the undo stack. If the HTML snippet is restored from the undo stack, the combination of the string manipulation and reparative parsing by either the browser's native DOMParser API (TinyMCE 6) or the SaxParser API (TinyMCE 5) mutates the HTML maliciously, allowing an XSS payload to be executed. This vulnerability also impacts these related TinyMCE APIs and plugins:
tinymce.Editor.getContent({ format: 'raw' })tinymce.Editor.resetContent()Patches
This vulnerability has been patched in TinyMCE 5.10.8 and TinyMCE 6.7.1 by ensuring HTML is trimmed using node-level manipulation instead of string manipulation.
Fix
To avoid this vulnerability:
Acknowledgements
Tiny Technologies would like to thank Masato Kinugawa of Cure53 for discovering this vulnerability.
References
For more information
If you have any questions or comments about this advisory:
CVE-2023-45819
Impact
A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s Notification Manager API. The vulnerability exploits TinyMCE's unfiltered notification system, which is used in error handling. The conditions for this exploit requires carefully crafted malicious content to have been inserted into the editor and a notification to have been triggered.
When a notification was opened, the HTML within the text argument was displayed unfiltered in the notification. The vulnerability allowed arbitrary JavaScript execution when an notification presented in the TinyMCE UI for the current user. This issue could also be exploited by any integration which uses a TinyMCE notification to display unfiltered HTML content.
Patches
This vulnerability has been patched in TinyMCE 5.10.8 and TinyMCE 6.7.1 by ensuring that the HTML displayed in the notification is sanitized, preventing the exploit.
Fix
To avoid this vulnerability:
References
For more information
If you have any questions or comments about this advisory:
CVE-2023-48219
Impact
A mutation cross-site scripting (mXSS) vulnerability was discovered in TinyMCE’s core undo/redo functionality and other APIs and plugins. Text nodes within specific parents are not escaped upon serialization according to the HTML standard. If such text nodes contain a special character reserved as an internal marker, they can be combined with other HTML patterns to form malicious snippets. These snippets pass the initial sanitisation layer when the content is parsed into the editor body, but can trigger XSS when the special internal marker is removed from the content and re-parsed. Such mutations occur when serialised HTML content is processed before being stored in the undo stack, or when the following APIs and plugins are used:
tinymce.Editor.getContent({ format: 'raw' })tinymce.Editor.resetContent()Patches
This vulnerability has been patched in TinyMCE 6.7.3 by:
Editor.setContent,Editor.insertContent, andEditor.resetContentAPIs to prevent them from being loaded into the editor as user-provided content.Fix
To avoid this vulnerability:
Acknowledgements
Tiny Technologies would like to thank Masato Kinugawa of Cure53 for discovering this vulnerability.
References
For more information
Email us at infosec@tiny.cloud Open an issue in the TinyMCE repo
CVE-2024-29881
Impact
A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s content loading and content inserting code. A SVG image could be loaded though an
objectorembedelement and that image could potentially contain a XSS payload.Fix
TinyMCE 6.8.1 introduced a new
convert_unsafe_embedsoption to automatically convertobjectandembedelements respective of theirtypeattribute. From TinyMCE 7.0.0 onwards, theconvert_unsafe_embedsoption is enabled by default.Workarounds
If you are using TinyMCE 6.8.1 or higher, set
convert_unsafe_embedsto true. For any earlier versions, a custom NodeFilter is recommended to remove or modify anyobjectorembedelements. This can be added using theeditor.parser.addNodeFilterandeditor.serializer.addNodeFilterAPIs.Acknowledgements
Tiny Technologies would like to thank Toni Huttunen of Fraktal Oy for discovering this vulnerability.
References
CVE-2024-29203
Impact
A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s content insertion code. This allowed
iframeelements containing malicious code to execute when inserted into the editor. Theseiframeelements are restricted in their permissions by same-origin browser protections, but could still trigger operations such as downloading of malicious assets.Fix
TinyMCE 6.8.1 introduced a new
sandbox_iframesboolean option which adds thesandbox=""attribute to everyiframeelement by default when enabled. This will prevent cross-origin, and in special cases same-origin, XSS by embedded resources iniframeelements. From TinyMCE 7.0.0 onwards the default value of this option istrue.In TinyMCE 7.0.0 a new
sandbox_iframes_exclusionsoption was also added, allowing a list of domains to be specified that should be excluded from having thesandbox=""attribute applied when thesandbox_iframesoption is enabled. By default, this option is set to an array of domains that are provided in embed code by popular websites. To sandboxiframeelements from every domain, set this option to[].Workarounds
The HTTP Content-Security-Policy (CSP)
frame-srcorobject-srccan be configured to restrict or block the loading of unauthorized URLS. Refer to the TinyMCE Content Security Policy Guide.References
CVE-2024-38356
Impact
A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s content extraction code. When using the
noneditable_regexpoption, specially crafted HTML attributes containing malicious code were able to be executed when content was extracted from the editor.Patches
This vulnerability has been patched in TinyMCE 7.2.0, TinyMCE 6.8.4 and TinyMCE 5.11.0 LTS by ensuring that, when using the
noneditable_regexpoption, any content within an attribute is properly verified to match the configured regular expression before being added.Fix
To avoid this vulnerability:
References
For more information
If you have any questions or comments about this advisory:
CVE-2024-38357
Impact
A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s content parsing code. This allowed specially crafted noscript elements containing malicious code to be executed when that content was loaded into the editor.
Patches
This vulnerability has been patched in TinyMCE 7.2.0, TinyMCE 6.8.4 and TinyMCE 5.11.0 LTS by ensuring that content within noscript elements are properly parsed.
Fix
To avoid this vulnerability:
Acknowledgements
Tiny thanks Malav Khatri and another reporter for their help identifying this vulnerability.
References
For more information
If you have any questions or comments about this advisory:
Release Notes
tinymce/tinymce (tinymce)
### [`v7.0.0`](https://togithub.com/tinymce/tinymce/blob/HEAD/modules/tinymce/CHANGELOG.md#700---2024-03-20) [Compare Source](https://togithub.com/tinymce/tinymce/compare/tinymce@6.8.4...7.0.0) ##### Added - New `license_key` option that must be set to `gpl` or a valid license key. #TINY-10681 - New custom tooltip functionality, tooltip will be shown when hovering with a mouse or with keyboard focus. #TINY-9275 - New `sandbox_iframes_exclusions` option that holds a list of URL host names to be excluded from iframe sandboxing when `sandbox_iframes` is set to `true`. #TINY-10350 - Added 'getAllEmojis' api function to the emoticons plugin. #TINY-10572 - Element preset support for the `valid_children` option and Schema.addValidChildren API. #TINY-9979 - A new `trigger` property for block text pattern configurations, allowing pattern activation with either Space or Enter keys. #TINY-10324 - onFocus callback for CustomEditor dialog component. #TINY-10596 - icons for the import from Word, export to Word and export to PDF premium plugins. #TINY-10612 - `data` is now a valid element in the Schema. #TINY-10611 - More advanced schema config for custom elements. #TINY-9980 - Custom tooltip for autocompleter, now visible on both mouse hover and keyboard focus, except single column cases. #TINY-9638 ##### Improved - Included keyboard shortcut in custom tooltip for `ToolbarButton` and `ToolbarToggleButton`. #TINY-10487 - Improved showing which element has focus for keyboard navigation. #TINY-9176 - Custom tooltips will now show for items in `collection` which is rendered inside a dialog, on mouse hover and keyboard focus. #TINY-9637 - Autocompleter will now work with IMEs. #TINY-10637 - Make table ghost element better reflect height changes when resizing. #TINY-10658 ##### Changed - TinyMCE is now licensed GPL Version 2 or later. #TINY-10578 - `convert_unsafe_embeds` editor option is now defaulted to `true`. #TINY-10351 - `sandbox_iframes` editor option is now defaulted to `true`. #TINY-10350 - The DOMUtils.isEmpty API function has been modified to consider nodes containing only comments as empty. #TINY-10459 - The `highlight_on_focus` option now defaults to true, adding a focus outline to every editor. #TINY-10574 - Delay before the tooltip to show up, from 800ms to 300ms. #TINY-10475 - Now `tox-view__pane` has `position: relative` instead of `static`. #TINY-10561 - Update outbound link for statusbar Tiny logo #TINY-10494 - Remove the height field from the `table` plugin cell dialog. The `table` plugin row dialog now controls the row height by setting the height on the `tr` element, not the `td` elements. #TINY-10617 - Change table height resizing handling to remove heights from `td`/`th` elements and only apply to `tr` elements. #TINY-10589 - Removed incorrect `aria-placeholder` attribute from editor body when `placeholder` option is set. #TINY-10452 - The `tooltip` property for dialog's footer `togglebutton` is now optional. #TINY-10672 - Changed the `media_url_resolver` option to use promises. #TINY-9154 - `Styles` bespoke toolbar button fallback changed to `Formats` if `Paragraph` is not configured in `style_formats` option. #TINY-10603 - Updated deprecation/removed console message. #TINY-10694 ##### Removed - Deprecated `force_hex_color` option, with the default now being all colors are forced to hex format as lower case. #TINY-10436 - Deprecated `remove_trailing_brs` option from DomParser. #TINY-10454 - `title` attribute on buttons with visible label. #TINY-10453 - `InsertOrderedList` and `InsertUnorderedList` commands from core, these now only exist in the `lists` plugin. #TINY-10644 - `closeButton` from the notification API, close buttons in notifications are now required. #TINY-10646 - The autocompleter `ch` configuration property has been removed. Use the `trigger` property instead. #TINY-8929 - Deprecated `template` plugin. #TINY-10654 ##### Fixed - When deleting the last row in a table, the cursor would jump to the first cell (top left), instead of moving to the next adjacent cell in some cases. #TINY-6309 - Heading formatting would be partially applied to the content within the `summary` element when the caret was positioned between words. #TINY-10312 - Moving focus to the outside of the editor after having clicked a menu would not fire a `blur` event as expected. #TINY-10310 - Autocomplete would sometimes cause corrupt data when starting during text composition. #TINY-10317 - Inline mode with persisted toolbar would show regardless of the skin being loaded, causing css issues. #TINY-10482 - Table classes couldn't be removed via setting an empty value in `table_class_list`. Also fixed being forced to pick the first class option. #TINY-6653 - Directly right clicking on a ol's li in FireFox didn't enable the button `List Properties...` in the context menu. #TINY-10490 - The `link_default_target` option wasn't considered when inserting a link via `quicklink` toolbar. #TINY-10439 - When inline editor toolbar wrapped to multiple lines the top wasn't always calculated correctly. #TINY-10580 - Removed manually dispatching dragend event on drop in Firefox. #TINY-10389 - Slovenian help dialog content had a dot in the wrong place. #TINY-10601 - Pressing Backspace at the start of an empty `summary` element within a `details` element nested in a list item no longer removes the `summary` element. #TINY-10303 - The toolbar width was miscalculated for the inline editor positioned inside a scrollable container. #TINY-10581 - Fixed incorrect object processor for `event_root` option. #TINY-10433 - Adding newline after using `selection.setContent` to insert a block element would throw an unhandled exception. #TINY-10560 - Floating toolbar buttons in inline editor incorrectly wrapped into multiple rows on window resizing or zooming. #TINY-10570 - When setting table border width and `table_style_by_css` is true, only the border attribute is set to 0 and border-width styling is no longer used. #TINY-10308 - Clicking to the left or right of a non-editable div in Firefox would show two cursors. #TINY-10314 ### [`v6.8.4`](https://togithub.com/tinymce/tinymce/compare/6.8.3...tinymce@6.8.4) [Compare Source](https://togithub.com/tinymce/tinymce/compare/6.8.3...tinymce@6.8.4) ### [`v6.8.3`](https://togithub.com/tinymce/tinymce/blob/HEAD/modules/tinymce/CHANGELOG.md#683---2024-02-08) [Compare Source](https://togithub.com/tinymce/tinymce/compare/6.8.2...6.8.3) ##### Changed - Update outbound TinyMCE website links. #TINY-10491 ##### Fixed - The floating toolbar would not be fully visible when the editor was placed inside a scrollable container. #TINY-10335 - ShadowDOM skin was not loaded properly when used with js bundling feature. #TINY-10451 ### [`v6.8.2`](https://togithub.com/tinymce/tinymce/blob/HEAD/modules/tinymce/CHANGELOG.md#682---2023-12-11) [Compare Source](https://togithub.com/tinymce/tinymce/compare/6.8.1...6.8.2) ##### Fixed - Bespoke select toolbar buttons including `fontfamily`, `fontsize`, `blocks`, and `styles` incorrectly used plural words in their accessible names. #TINY-10426 - The `align` bespoke select toolbar button had an accessible name that was misleading and grammatically incorrect in certain cases. #TINY-10435 - Accessible names of bespoke select toolbar buttons including `align`, `fontfamily`, `fontsize`, `blocks`, and `styles` were incorrectly translated. #TINY-10426 #TINY-10435 - Clicking inside table cells with heavily nested content could cause the browser to hang. #TINY-10380 - Toggling a list that contains an LI element having another list as its first child would remove the remaining content within that LI element. #TINY-10414 ### [`v6.8.1`](https://togithub.com/tinymce/tinymce/blob/HEAD/modules/tinymce/CHANGELOG.md#681---2023-11-29) [Compare Source](https://togithub.com/tinymce/tinymce/compare/6.8.0...6.8.1) ##### Improved - Colorpicker now includes the Brightness/Saturation selector and hue slider in the keyboard navigable items. #TINY-9287 ##### Fixed - Translation syntax for announcement text in the table grid was incorrectly formatted. #TINY-10141 - The functions `schema.isWrapper` and `schema.isInline` did not exclude node names that started with `#` which should not be considered as elements. #TINY-10385 ### [`v6.8.0`](https://togithub.com/tinymce/tinymce/blob/HEAD/modules/tinymce/CHANGELOG.md#680---2023-11-22) [Compare Source](https://togithub.com/tinymce/tinymce/compare/6.7.3...6.8.0) ##### Added - CSS files are now also generated as separate JS files to improve bundling of all resources. #TINY-10352 - Added new `StylesheetLoader.loadRawCss` API that can be used to load CSS into a style element. #TINY-10352 - Added new `StylesheetLoader.unloadRawCss` API that can be used to unload CSS that was loaded into a style element. #TINY-10352 - Added `force_hex_color` editor option. Option `'always'` converts all RGB & RGBA colours to hex, `'rgb_only'` will only convert RGB and *not* RGBA colours to hex, `'off'` won't convert any colours to hex. #TINY-9819 - Added `default_font_stack` editor option that makes it possible to define what is considered a system font stack. #TINY-10290 - New `sandbox_iframes` option that controls whether iframe elements will be added a `sandbox=""` attribute to mitigate malicious intent. #TINY-10348 - New `convert_unsafe_embeds` option that controls whether `