Cross-Site Scripting in tinymce 7 fix

tinymce / tinymce-angular

Official TinyMCE Angular Component

MIT License

320 stars 92 forks source link

Cross-Site Scripting in tinymce 7 fix #375

Closed RGerhardt-Pressmind closed 2 months ago

RGerhardt-Pressmind commented 3 months ago

Hello, when is the tinymce update coming? Since today the npm update reports an official XSS bug. This would be fixed in tinymce 7.0, but tinymce-angular has not been updated for over a year. Is an update conceivable in the near future?

TinyMCE Cross-Site Scripting (XSS) vulnerability in handling external SVG files through Object or Embed elements - https://github.com/advisories/GHSA-5359-pvf2-pw78

Regards Robbyn

danoaky-tiny commented 3 months ago

I can't give you an exact date, although it is planned. You can still set cloudChannel to 7 or use TinyMCE version 7 through any of the other methods mentioned in the docs. You'd also need to set the license_key prop in init, if applicable.

TobiDimmel commented 2 months ago

For the meantime you could set the convert_unsafe_embeds to true, which was introduced with TinyMCE v6.8.1. See GitHub advisory for details.

danoaky-tiny commented 2 months ago

This is fixed by #378, which adds TinyMCE 7 as the default cloud channel, amongst other supporting features for it.