search

pangaeatech / tinymce-paste-from-word-plugin

TinyMCE 6.x Plugin to add support for pasting from Microsoft Word documents
GNU Lesser General Public License v2.1
5 stars 2 forks source link

[Prod] Update dependency tinymce to v7 [SECURITY] #100

Open renovate[bot] opened 3 months ago

renovate[bot] commented 3 months ago

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
tinymce (source) 6.8.2 -> 7.0.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-29881

Impact

A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s content loading and content inserting code. A SVG image could be loaded though an object or embed element and that image could potentially contain a XSS payload.

Fix

TinyMCE 6.8.1 introduced a new convert_unsafe_embeds option to automatically convert object and embed elements respective of their type attribute. From TinyMCE 7.0.0 onwards, the convert_unsafe_embeds option is enabled by default.

Workarounds

If you are using TinyMCE 6.8.1 or higher, set convert_unsafe_embeds to true. For any earlier versions, a custom NodeFilter is recommended to remove or modify any object or embed elements. This can be added using the editor.parser.addNodeFilter and editor.serializer.addNodeFilter APIs.

Acknowledgements

Tiny Technologies would like to thank Toni Huttunen of Fraktal Oy for discovering this vulnerability.

References

CVE-2024-38356

Impact

A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s content extraction code. When using the noneditable_regexp option, specially crafted HTML attributes containing malicious code were able to be executed when content was extracted from the editor.

Patches

This vulnerability has been patched in TinyMCE 7.2.0, TinyMCE 6.8.4 and TinyMCE 5.11.0 LTS by ensuring that, when using the noneditable_regexp option, any content within an attribute is properly verified to match the configured regular expression before being added.

Fix

To avoid this vulnerability:

References

For more information

If you have any questions or comments about this advisory:

CVE-2024-38357

Impact

A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s content parsing code. This allowed specially crafted noscript elements containing malicious code to be executed when that content was loaded into the editor.

Patches

This vulnerability has been patched in TinyMCE 7.2.0, TinyMCE 6.8.4 and TinyMCE 5.11.0 LTS by ensuring that content within noscript elements are properly parsed.

Fix

To avoid this vulnerability:

Acknowledgements

Tiny thanks Malav Khatri and another reporter for their help identifying this vulnerability.

References

For more information

If you have any questions or comments about this advisory:

Release Notes

tinymce/tinymce (tinymce) ### [`v7.0.0`](https://togithub.com/tinymce/tinymce/blob/HEAD/modules/tinymce/CHANGELOG.md#700---2024-03-20) [Compare Source](https://togithub.com/tinymce/tinymce/compare/tinymce@6.8.4...7.0.0) ##### Added - New `license_key` option that must be set to `gpl` or a valid license key. #TINY-10681 - New custom tooltip functionality, tooltip will be shown when hovering with a mouse or with keyboard focus. #TINY-9275 - New `sandbox_iframes_exclusions` option that holds a list of URL host names to be excluded from iframe sandboxing when `sandbox_iframes` is set to `true`. #TINY-10350 - Added 'getAllEmojis' api function to the emoticons plugin. #TINY-10572 - Element preset support for the `valid_children` option and Schema.addValidChildren API. #TINY-9979 - A new `trigger` property for block text pattern configurations, allowing pattern activation with either Space or Enter keys. #TINY-10324 - onFocus callback for CustomEditor dialog component. #TINY-10596 - icons for the import from Word, export to Word and export to PDF premium plugins. #TINY-10612 - `data` is now a valid element in the Schema. #TINY-10611 - More advanced schema config for custom elements. #TINY-9980 - Custom tooltip for autocompleter, now visible on both mouse hover and keyboard focus, except single column cases. #TINY-9638 ##### Improved - Included keyboard shortcut in custom tooltip for `ToolbarButton` and `ToolbarToggleButton`. #TINY-10487 - Improved showing which element has focus for keyboard navigation. #TINY-9176 - Custom tooltips will now show for items in `collection` which is rendered inside a dialog, on mouse hover and keyboard focus. #TINY-9637 - Autocompleter will now work with IMEs. #TINY-10637 - Make table ghost element better reflect height changes when resizing. #TINY-10658 ##### Changed - TinyMCE is now licensed GPL Version 2 or later. #TINY-10578 - `convert_unsafe_embeds` editor option is now defaulted to `true`. #TINY-10351 - `sandbox_iframes` editor option is now defaulted to `true`. #TINY-10350 - The DOMUtils.isEmpty API function has been modified to consider nodes containing only comments as empty. #TINY-10459 - The `highlight_on_focus` option now defaults to true, adding a focus outline to every editor. #TINY-10574 - Delay before the tooltip to show up, from 800ms to 300ms. #TINY-10475 - Now `tox-view__pane` has `position: relative` instead of `static`. #TINY-10561 - Update outbound link for statusbar Tiny logo #TINY-10494 - Remove the height field from the `table` plugin cell dialog. The `table` plugin row dialog now controls the row height by setting the height on the `tr` element, not the `td` elements. #TINY-10617 - Change table height resizing handling to remove heights from `td`/`th` elements and only apply to `tr` elements. #TINY-10589 - Removed incorrect `aria-placeholder` attribute from editor body when `placeholder` option is set. #TINY-10452 - The `tooltip` property for dialog's footer `togglebutton` is now optional. #TINY-10672 - Changed the `media_url_resolver` option to use promises. #TINY-9154 - `Styles` bespoke toolbar button fallback changed to `Formats` if `Paragraph` is not configured in `style_formats` option. #TINY-10603 - Updated deprecation/removed console message. #TINY-10694 ##### Removed - Deprecated `force_hex_color` option, with the default now being all colors are forced to hex format as lower case. #TINY-10436 - Deprecated `remove_trailing_brs` option from DomParser. #TINY-10454 - `title` attribute on buttons with visible label. #TINY-10453 - `InsertOrderedList` and `InsertUnorderedList` commands from core, these now only exist in the `lists` plugin. #TINY-10644 - `closeButton` from the notification API, close buttons in notifications are now required. #TINY-10646 - The autocompleter `ch` configuration property has been removed. Use the `trigger` property instead. #TINY-8929 - Deprecated `template` plugin. #TINY-10654 ##### Fixed - When deleting the last row in a table, the cursor would jump to the first cell (top left), instead of moving to the next adjacent cell in some cases. #TINY-6309 - Heading formatting would be partially applied to the content within the `summary` element when the caret was positioned between words. #TINY-10312 - Moving focus to the outside of the editor after having clicked a menu would not fire a `blur` event as expected. #TINY-10310 - Autocomplete would sometimes cause corrupt data when starting during text composition. #TINY-10317 - Inline mode with persisted toolbar would show regardless of the skin being loaded, causing css issues. #TINY-10482 - Table classes couldn't be removed via setting an empty value in `table_class_list`. Also fixed being forced to pick the first class option. #TINY-6653 - Directly right clicking on a ol's li in FireFox didn't enable the button `List Properties...` in the context menu. #TINY-10490 - The `link_default_target` option wasn't considered when inserting a link via `quicklink` toolbar. #TINY-10439 - When inline editor toolbar wrapped to multiple lines the top wasn't always calculated correctly. #TINY-10580 - Removed manually dispatching dragend event on drop in Firefox. #TINY-10389 - Slovenian help dialog content had a dot in the wrong place. #TINY-10601 - Pressing Backspace at the start of an empty `summary` element within a `details` element nested in a list item no longer removes the `summary` element. #TINY-10303 - The toolbar width was miscalculated for the inline editor positioned inside a scrollable container. #TINY-10581 - Fixed incorrect object processor for `event_root` option. #TINY-10433 - Adding newline after using `selection.setContent` to insert a block element would throw an unhandled exception. #TINY-10560 - Floating toolbar buttons in inline editor incorrectly wrapped into multiple rows on window resizing or zooming. #TINY-10570 - When setting table border width and `table_style_by_css` is true, only the border attribute is set to 0 and border-width styling is no longer used. #TINY-10308 - Clicking to the left or right of a non-editable div in Firefox would show two cursors. #TINY-10314 ### [`v6.8.4`](https://togithub.com/tinymce/tinymce/compare/6.8.3...tinymce@6.8.4) [Compare Source](https://togithub.com/tinymce/tinymce/compare/6.8.3...tinymce@6.8.4) ### [`v6.8.3`](https://togithub.com/tinymce/tinymce/blob/HEAD/modules/tinymce/CHANGELOG.md#683---2024-02-08) [Compare Source](https://togithub.com/tinymce/tinymce/compare/6.8.2...6.8.3) ##### Changed - Update outbound TinyMCE website links. #TINY-10491 ##### Fixed - The floating toolbar would not be fully visible when the editor was placed inside a scrollable container. #TINY-10335 - ShadowDOM skin was not loaded properly when used with js bundling feature. #TINY-10451

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

This PR has been generated by Mend Renovate. View repository job log here.