stephenmcd
commented
6 years ago We can definitely delete it. Go ahead with the PR if you like but let me know if you can't and I'll do it.
Thanks a lot.
Open Olorin92 opened 6 years ago
stephenmcd
commented
6 years ago We can definitely delete it. Go ahead with the PR if you like but let me know if you can't and I'll do it.
Thanks a lot.
Olorin92
commented
6 years ago Great will do - I'll put in a pull request, but will do a bit more of a thorough test before I do that!
A vulnerability scanner we ran across our Django website (detectify) has flagged the moxieplayer.swf file served as part of the TinyMCE plugin as containing XSS vulnerabilities.
Looking at the plugin, it seems that it's fairly out of date, and the latest version no longer contains this file. I'm not sure what the best way around this is, but ideally we want to prevent this file from being served.
I'm not sure if there's a way to do that in Django already (i.e. serve all these files except the .swf one), if there is that's the easiest way to go. If not, I've made code changes to the tinymce_setup.js file in my own fork to make it work with the latest TinyMCE, but I did see comments regarding incompatibility a newer version of TinyMCE a few years ago, so not sure if that will still be an issue.
Happy to test more thoroughly and create a pull request if that's preferred.