search

jazzband / django-tinymce

TinyMCE integration for Django
http://django-tinymce.readthedocs.org/
MIT License
1.28k stars 317 forks source link

Upgrade TinyMCE to fix Cross-site scripting vulnerabilities #366

Closed sks444 closed 2 years ago

sks444 commented 3 years ago

Fixed in 5.6.0 https://github.com/tinymce/tinymce/security/advisories/GHSA-w7jx-j77m-wp65

Fixed in 5.7.1 https://github.com/tinymce/tinymce/security/advisories/GHSA-5vm8-hhgr-jcjp

bachvtuan commented 2 years ago

Is this get fixed ? Github still warning about XSS issue when using this package.

GriceTurrble commented 2 years ago

v3.3.0 on PyPI installs TinyMCE 5.5.0, which includes the vulnerability.

master branch here appears more up-to-date, with TinyMCE 5.10.1 as of a couple weeks back.

Any timeline for a new version release on PyPI to bring in this update?

claudep commented 2 years ago

3.4.0 was released today.

GriceTurrble commented 2 years ago

Suggest updating this vuln with the patched version, as well: https://github.com/advisories/GHSA-r8hm-w5f7-wj39

Thanks for the updated release!