Regex denial of service vulnerability in codesample plugin
Impact
A regex denial of service (ReDoS) vulnerability was discovered in a dependency of the codesample plugin. The vulnerability allowed poorly formed ruby code samples to lock up the browser while performing syntax highlighting. This impacts users of the codesample plugin using TinyMCE 5.5.1 or lower.
Patches
This vulnerability has been patched in TinyMCE 5.6.0 by upgrading to a version of the dependency without the vulnerability.
A cross-site scripting (XSS) vulnerability was discovered in the core parser. The vulnerability allowed arbitrary JavaScript execution when inserting a specially crafted piece of content into the editor via the clipboard or APIs. This impacts all users who are using TinyMCE 4.9.10 or lower and TinyMCE 5.3.2 or lower.
Patches
This vulnerability has been patched in TinyMCE 4.9.11 and 5.4.0 by improved HTML parsing and sanitization logic.
Workarounds
The workarounds available are:
upgrade to either TinyMCE 4.9.11 or TinyMCE 5.4.0
or
enable the media plugin, which overrides the default parsing behaviour for iframes
or
add the following workaround to update the parsing schema rules for iframes:
XSS in TinyMCE
A cross-site scripting (XSS) vulnerability was discovered in the core parser and media plugin. The vulnerability allowed arbitrary JavaScript execution when inserting a specially crafted piece of content into the editor via the clipboard or APIs.
This vulnerability has been patched in TinyMCE 4.9.10 and 5.2.2 by improved HTML parsing and sanitization logic.
Workarounds
Disable the media plugin and manually sanitize CDATA content
A cross-site scripting (XSS) vulnerability was discovered in: the core parser, paste and visualchars plugins. The vulnerability allowed arbitrary JavaScript execution when inserting a specially crafted piece of content into the editor via the clipboard or APIs. This impacts all users who are using TinyMCE 4.9.6 or lower and TinyMCE 5.1.3 or lower.
Patches
This vulnerability has been patched in TinyMCE 4.9.7 and 5.1.4 by improved parser logic and HTML sanitization.
Workarounds
The workarounds available are:
disable the impacted plugins
manually sanitize the content using the BeforeSetContent event (see below)
upgrade to either TinyMCE 4.9.7 or TinyMCE 5.1.4
Example: Manually sanitize content
editor.on('BeforeSetContent', function(e) {
var sanitizedContent = ...; // Manually sanitize content here
e.content = sanitizedContent;
});
Version 5.6.2 (2020-12-08)
Fixed a UI rendering regression when the document body is using display: flex #TINY-6783
Version 5.6.1 (2020-11-25)
Fixed the mceTableRowType and mceTableCellType commands were not firing the newCell event #TINY-6692
Fixed the HTML5 s element was not recognized when editing or clearing text formatting #TINY-6681
Fixed an issue where copying and pasting table columns resulted in invalid HTML when using colgroups #TINY-6684
Fixed an issue where the toolbar would render with the wrong width for inline editors in some situations #TINY-6683
Version 5.6.0 (2020-11-18)
Added new BeforeOpenNotification and OpenNotification events which allow internal notifications to be captured and modified before display #TINY-6528
Added support for block and unblock methods on inline dialogs #TINY-6487
Added new TableModified event which is fired whenever changes are made to a table #TINY-6629
Added new images_file_types setting to determine which image file formats will be automatically processed into img tags on paste when using the paste plugin #TINY-6306
Added support for images_file_types setting in the image file uploader to determine which image file extensions are valid for upload #TINY-6224
Added new format_empty_lines setting to control if empty lines are formatted in a ranged selection #TINY-6483
Added template support to the autocompleter for customizing the autocompleter items #TINY-6505
Added new user interface enable, disable, and isDisabled methods #TINY-6397
Added new closest formatter API to get the closest matching selection format from a set of formats #TINY-6479
Added new emojiimages emoticons database that uses the twemoji CDN by default #TINY-6021
Added new emoticons_database setting to configure which emoji database to use #TINY-6021
Added new name field to the style_formats setting object to enable specifying a name for the format #TINY-4239
Changed readonly mode to allow hyperlinks to be clickable #TINY-6248
Fixed the change event not firing after a successful image upload #TINY-6586
Fixed the type signature for the entity_encoding setting not accepting delimited lists #TINY-6648
Fixed layout issues when empty tr elements were incorrectly removed from tables #TINY-4679
Fixed image file extensions lost when uploading an image with an alternative extension, such as .jfif #TINY-6622
Fixed a security issue where URLs in attributes weren't correctly sanitized #TINY-6518
Fixed DOMUtils.getParents incorrectly including the shadow root in the array of elements returned #TINY-6540
Fixed an issue where the root document could be scrolled while an editor dialog was open inside a shadow root #TINY-6363
Fixed getContent with text format returning a new line when the editor is empty #TINY-6281
Fixed table column and row resizers not respecting the data-mce-resize attribute #TINY-6600
Fixed inserting a table via the mceInsertTable command incorrectly creating 2 undo levels #TINY-6656
Fixed nested tables with colgroup elements incorrectly always resizing the inner table #TINY-6623
Fixed the visualchars plugin causing the editor to steal focus when initialized #TINY-6282
Fixed fullpage plugin altering text content in editor.getContent() #TINY-6541
Fixed fullscreen plugin not working correctly with multiple editors and shadow DOM #TINY-6280
Fixed font size keywords such as medium not displaying correctly in font size menus #TINY-6291
Fixed an issue where some attributes in table cells were not copied over to new rows or columns #TINY-6485
Fixed incorrectly removing formatting on adjacent spaces when removing formatting on a ranged selection #TINY-6268
Fixed the Cut menu item not working in the latest version of Mozilla Firefox #TINY-6615
Fixed some incorrect types in the new TypeScript declaration file #TINY-6413
Fixed a regression where a fake offscreen selection element was incorrectly created for the editor root node #TINY-6555
Fixed an issue where menus would incorrectly collapse in small containers #TINY-3321
Fixed an issue where only one table column at a time could be converted to a header #TINY-6326
Fixed some minor memory leaks that prevented garbage collection for editor instances #TINY-6570
Fixed resizing a responsive table not working when using the column resize handles #TINY-6601
Fixed incorrectly calculating table col widths when resizing responsive tables #TINY-6646
Fixed an issue where spaces were not preserved in pre-blocks when getting text content #TINY-6448
Fixed a regression that caused the selection to be difficult to see in tables with backgrounds #TINY-6495
Fixed content pasted multiple times in the editor when using Microsoft Internet Explorer 11. Patch contributed by mattford #GH-4905
Version 5.5.1 (2020-10-01)
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language
- `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language
- `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language
- `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language
- `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme
Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com):
- Update frequency (including time of day and day of week)
- Pull request limits (per update run and/or open at any time)
- Out-of-range updates (receive only lockfile updates, if desired)
- Security updates (receive only security updates, if desired)
Bumps tinymce from 4.8.5 to 5.6.0. This update includes security fixes.
Vulnerabilities fixed
Sourced from The GitHub Security Advisory Database.
Sourced from The GitHub Security Advisory Database.
Sourced from The GitHub Security Advisory Database.
Sourced from The GitHub Security Advisory Database.
Changelog
Sourced from tinymce's changelog.
Commits
933ded7Added version 5.6.0 release.a436d25Added version 5.5.1 release.a2c91baAdded version 5.5.0 release.71197b6Added version 5.4.2 release.940fdcfAdded version 5.4.1 release.aa17e50Added version 5.4.0 release.d61fb3aAdded version 5.3.2 release.680aa99Added version 5.3.1 release.5831401Added version 5.3.0 release.a9e4928Added version 5.2.2 release.Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language - `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Pull request limits (per update run and/or open at any time) - Out-of-range updates (receive only lockfile updates, if desired) - Security updates (receive only security updates, if desired)