[Security] Bump tinymce from 4.8.5 to 4.9.11

[dependabot-preview[bot]]

Bumps tinymce from 4.8.5 to 4.9.11. This update includes security fixes.

Vulnerabilities fixed

Sourced from The GitHub Security Advisory Database.

Cross-site scripting vulnerability in TinyMCE

Impact

A cross-site scripting (XSS) vulnerability was discovered in the core parser. The vulnerability allowed arbitrary JavaScript execution when inserting a specially crafted piece of content into the editor via the clipboard or APIs. This impacts all users who are using TinyMCE 4.9.10 or lower and TinyMCE 5.3.2 or lower.

Patches

This vulnerability has been patched in TinyMCE 4.9.11 and 5.4.0 by improved HTML parsing and sanitization logic.

Workarounds

The workarounds available are:

• upgrade to either TinyMCE 4.9.11 or TinyMCE 5.4.0 or
• enable the media plugin, which overrides the default parsing behaviour for iframes or
• add the following workaround to update the parsing schema rules for iframes:

Example: Change the default schema for iframes

setup: function(editor) {
  editor.on('PreInit', function() {
    editor.schema.getSpecialElements()['iframe'] = /]*>/gi;
  });
</tr></table> ... (truncated)
Affected versions: < 4.9.11

Sourced from The GitHub Security Advisory Database.

XSS in TinyMCE A cross-site scripting (XSS) vulnerability was discovered in the core parser and media plugin. The vulnerability allowed arbitrary JavaScript execution when inserting a specially crafted piece of content into the editor via the clipboard or APIs.

This vulnerability has been patched in TinyMCE 4.9.10 and 5.2.2 by improved HTML parsing and sanitization logic.

Workarounds

Disable the media plugin and manually sanitize CDATA content

References

https://www.tiny.cloud/docs/release-notes/release-notes522/#securityfixes

Affected versions: < 4.9.10

Sourced from The GitHub Security Advisory Database.

High severity vulnerability that affects tinymce

Impact

A cross-site scripting (XSS) vulnerability was discovered in: the core parser, paste and visualchars plugins. The vulnerability allowed arbitrary JavaScript execution when inserting a specially crafted piece of content into the editor via the clipboard or APIs. This impacts all users who are using TinyMCE 4.9.6 or lower and TinyMCE 5.1.3 or lower.

Patches

This vulnerability has been patched in TinyMCE 4.9.7 and 5.1.4 by improved parser logic and HTML sanitization.

Workarounds

The workarounds available are:

• disable the impacted plugins
• manually sanitize the content using the BeforeSetContent event (see below)
• upgrade to either TinyMCE 4.9.7 or TinyMCE 5.1.4

Example: Manually sanitize content

editor.on('BeforeSetContent', function(e) {
  var sanitizedContent = ...; // Manually sanitize content here
  e.content = sanitizedContent;
});

Affected versions: < 4.9.7

Changelog

Sourced from tinymce's changelog.

Version 4.9.11 (2020-07-13) Fixed the selection.setContent() API not running parser filters #TINY-4002 Fixed content in an iframe element parsing as DOM elements instead of text content #TINY-5943 Fixed up and down keyboard navigation not working for inline contenteditable="false" elements #TINY-6226 Version 4.9.10 (2020-04-23) Fixed an issue where the editor selection could end up inside a short ended element (eg br) #TINY-3999 Fixed a security issue related to CDATA sanitization during parsing #TINY-4669 Fixed media embed content not processing safely in some cases #TINY-4857 Version 4.9.9 (2020-03-25) Fixed the table selection not functioning correctly in Microsoft Edge 44 or higher #TINY-3862 Fixed the table resize handles not functioning correctly in Microsoft Edge 44 or higher #TINY-4160 Fixed the forced_root_block_attrs setting not applying attributes to new blocks consistently #TINY-4564 Fixed the editor failing to initialize if a script tag was used inside an SVG #TINY-4087 Version 4.9.8 (2020-01-28) Fixed the mobile theme failing to load due to a bundling issue #TINY-4613 Fixed security issue related to parsing HTML comments and CDATA #TINY-4544 Version 4.9.7 (2019-12-19) Fixed the visualchars plugin converting HTML-like text to DOM elements in certain cases #TINY-4507 Fixed an issue with the paste plugin not sanitizing content in some cases #TINY-4510 Fixed HTML comments incorrectly being parsed in certain cases #TINY-4511 Version 4.9.6 (2019-09-02) Fixed image browse button sometimes displaying the browse window twice #TINY-3959 Version 4.9.5 (2019-07-02) Changed annotations navigation to work the same as inline boundaries #TINY-3396 Fixed the print plugin printing from the wrong window in IE11 #TINY-3762 Fixed an exception being thrown when a file or number input has focus during initialization. Patch contributed by t00 #GH-2194 Fixed positioning of the styleselect menu in iOS while using the mobile theme #TINY-3505 Fixed native context menu not showing with images in IE11 #TINY-3392 Fixed selection incorrectly changing when programmatically setting selection on contenteditable false elements #TINY-3766 Fixed image browse button not working on touch devices #TINY-3751 Fixed so that nbsp entities aren't trimmed in white-space: pre-line elements #TINY-3642 Fixed space key properly inserts a nbsp before/after block elements #TINY-3745 Fixed infinite loop in the paste plugin when IE11 takes a long time to process paste events. Patch contributed by lRawd. #GH-4987 Version 4.9.4 (2019-03-20) Fixed an issue where Home/End keys wouldn't move the caret correctly before or after contenteditable=false inline elements #TINY-2995 Fixed an issue where content may have been lost when using permanent bookmarks #TINY-3400 Fixed the mobile editor to clean up properly when removed #TINY-3445 Fixed an issue where retrieving the selected content as text didn't create newlines #TINY-3197 Fixed an issue where typing space between images would cause issues with nbsp not being inserted. #TINY-3346 Version 4.9.3 (2019-01-31) Added a visualchars_default_state setting to the Visualchars Plugin. Patch contributed by mat3e. Fixed a bug where scrolling on a page with more than one editor would cause a ResizeWindow event to fire. #TINY-3247 Fixed a bug where if a plugin threw an error during initialisation the whole editor would fail to load. #TINY-3243 Fixed a bug where getContent would include bogus elements when valid_elements setting was set up in a specific way. #TINY-3213 Fixed a bug where only a few function key names could be used when creating keyboard shortcuts. #TINY-3146 Fixed a bug where it wasn't possible to enter spaces into an editor after pressing shift+enter. #TINY-3099 Fixed a bug where no caret would be rendered after backspacing to a contenteditable false element. #TINY-2998 Fixed a bug where deletion to/from indented lists would leave list fragments in the editor. #TINY-2981 Version 4.9.2 (2018-12-17) Fixed a bug with pressing the space key on IE 11 would result in nbsp characters being inserted between words at the end of a block. #TINY-2996

Commits

• 3a68b67 Added version 4.9.11 release.
• 8086216 Added version 4.9.10 release.
• f3e1d5c Added version 4.9.9 release.
• 912df2b Added version 4.9.8 release.
• e14935a Added version 4.9.7 release.
• 202ca07 Added version 4.9.6 release.
• 5c6d8f4 Added version 4.9.5 release.
• 4623344 Added version 4.9.3 release.
• f2b1a9b Added version 4.9.2 release.
• d8e62a3 Added version 4.9.1 release.
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language - `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Pull request limits (per update run and/or open at any time) - Out-of-range updates (receive only lockfile updates, if desired) - Security updates (receive only security updates, if desired)

[dependabot-preview[bot]]

Superseded by #179.