Update TinyMCE - Githubissues

roundcube / roundcubemail

The Roundcube Webmail suite

https://roundcube.net

GNU General Public License v3.0

5.63k stars 1.61k forks source link

Update TinyMCE #8621

Open EwoutH opened 1 year ago

EwoutH commented 1 year ago

The current TinyMCE version is getting quite old. The latest version is 6.1.0, and the latest 5.x version is 5.10.5.

Nice to know: TinyMCE is now released under the more permissive MIT License (see https://github.com/tinymce/tinymce/pull/7647)

Resources

alecpl commented 1 year ago

Problem with v6 is that they removed spellchecker plugin. I would not bother with update to newest v5 version, until there's some known issue regarding TinyMCE in Roundcube.

EwoutH commented 1 year ago

Would using Browser-based spell checking be a viable alternative?

ledgr commented 1 year ago

TinyMCE is reaching EOL on April 20, 2023. Beyond this date, there won't be any security updates, bug fixes, or new features for that version.

But TinyMCE 6 is limitted to only 1000 loads p/m for free.

alecpl commented 1 year ago

@ledgr the limit is for an editor hosted on their servers. That's not a problem as we include it in Roundcube.

The main problem with migration to v6 is lack of spellchecker plugin. If someone will create this plugin for v6 we'll migrate. Browser based spellchecking is not the same as the solution we have right now. It does not include centralized/per-user dictionary (with word exceptions), requires a dictionary installed in the browser, does not integrate with "check spellchecking on send" option.

If we decide to ignore spellchecker, we can as well think of replacing TinyMCE with CKEditor, but this in the end might be even more work.

pedrohc commented 7 months ago

There is a CVE for tinyMCE before 5.10.9:

https://github.com/tinymce/tinymce/security/advisories/GHSA-v626-r774-j7f8

pabzm commented 2 weeks ago

FTR: there's two more security fixes for TinyMCE <=6.8.3:

TinyMCE Cross-Site Scripting (XSS) vulnerability in handling iframes - https://github.com/advisories/GHSA-438c-3975-5x3f
TinyMCE Cross-Site Scripting (XSS) vulnerability in handling external SVG files through Object or Embed elements - https://github.com/advisories/GHSA-5359-pvf2-pw78

pabzm commented 2 weeks ago

There's still spellchecker plugin, but it requires a paid "Professional" subscription. TinyMCE themselves suggest to use the browser spellcheck alternatively.

Since no other spellchecker plugin appeared in the last years I'd suggest to move on and either update TinyMCE or exchange it for CKEditor (GPL v2 or later) or maybe Trix (MIT License).

This is going to take some effort. Anyone interested to help?

alecpl commented 2 weeks ago

I suppose taking the old spellchecker code and making it ours should not be that complicated. The commercial one is a completely different approach. I really don't want to drop features.

As for the vulnerabilities, I'm not sure they are even exploitable in Roundcube.