Closed manasaprabala closed 2 years ago
Ref: INT-2956
I would recommend reading this documentation: https://www.tiny.cloud/docs/tinymce/6/security/
The tinymce-react integration is a thin wrapper around TinyMCE. I am not aware of any security issues that can be introduced by the react wrapper itself. Any user generated content is at most set as a value of a textarea. When running in inline mode we use the tinymce API setContent
to avoid having to process user content directly. The react wrapper does trust the URL given to it in the tinymceScriptSrc prop so that should not be changeable by the end user.
tinymce-react module is used in our system. On running security scans on the system, Cross-Site Request Forgery (CSRF) issue is been reported on the tinymce.min,js file.
Can you please check if tinymce requests are vulnerable to CSRF attacks. If yes, Can we fix this issue as the system can be vulnerable for the attacks.
tinymce/tinymce-react version - ^3.12.6
Thanks in Advance!