TinyMCE Cross-Site Scripting (XSS) vulnerability

tinymce / tinymce-vue

Official TinyMCE Vue component

MIT License

2.01k stars 202 forks source link

TinyMCE Cross-Site Scripting (XSS) vulnerability #407

Open kburisma opened 2 months ago

kburisma commented 2 months ago

Hi! Just reaching out about the update status of tinymce-vue. Got a heads up from npm today about an XSS bug in TinyMCE, set to be fixed in version 7.0.

TinyMCE Cross-Site Scripting (XSS) vulnerability in handling external SVG files through Object or Embed elements - https://github.com/advisories/GHSA-5359-pvf2-pw78

If there's any chance we'll see an update roll out soon to address this?

Thanks a bunch!

Edgaraszs commented 2 months ago

There is a lot more vulnerabilities would be nice to get update to 7.0

Afraithe commented 2 months ago

We are working on an update to the vue package.

meirroth commented 1 month ago

@Afraithe Awesome, can't wait!

719media commented 1 month ago

@Afraithe any word on a new version?

meirroth commented 3 weeks ago

Looks like this issue should be resolved with https://github.com/tinymce/tinymce-vue/pull/408