Update dependency tinymce to 5.10.0 [SECURITY] - autoclosed

[renovate]

This PR contains the following updates:

Package	Change
tinymce	4.9.11 -> 5.10.0

GitHub Vulnerability Alerts

GHSA-h96f-fc7c-9r55

Impact

A regex denial of service (ReDoS) vulnerability was discovered in a dependency of the codesample plugin. The vulnerability allowed poorly formed ruby code samples to lock up the browser while performing syntax highlighting. This impacts users of the codesample plugin using TinyMCE 5.5.1 or lower.

Patches

This vulnerability has been patched in TinyMCE 5.6.0 by upgrading to a version of the dependency without the vulnerability.

Workarounds

To work around this vulnerability, either:

• Upgrade to TinyMCE 5.6.0 or higher
• Disable the codesample plugin
• Disable ruby code samples using the codesample_languages setting
• Override the PrismJS syntax highlighter to version 1.21.0 or higher using the codesample_global_prismjs setting

Acknowledgements

Tiny Technologies would like to thank Erik Krogh Kristensen at GitHub for discovering this vulnerability.

References

https://www.tiny.cloud/docs/release-notes/release-notes56/#securityfixes

For more information

If you have any questions or comments about this advisory:

• Open an issue in the TinyMCE repo
• Email us at infosec@tiny.cloud

GHSA-w7jx-j77m-wp65

Impact

A cross-site scripting (XSS) vulnerability was discovered in the URL sanitization logic of the core parser. The vulnerability allowed arbitrary JavaScript execution when inserting a specially crafted piece of content into the editor using the clipboard or APIs. This impacts all users who are using TinyMCE 5.5.1 or lower.

Patches

This vulnerability has been patched in TinyMCE 5.6.0 by improved URL sanitization logic.

Workarounds

To work around this vulnerability, either:

• Upgrade to TinyMCE 5.6.0 or higher
• Manually sanitize iframe, object and embed URL attributes using a TinyMCE node filter.
• Disable iframe, object, and embed elements in your content using the invalid_elements setting.

Example: Sanitizing using a node filter

editor.parser.addNodeFilter('iframe,object,embed', function(nodes) {
  nodes.forEach(function(node) {
    if (node.attributes) {
      node.attributes.forEach(function(attr) {
        var name = attr.name;
        var value = attr.value;
        // Sanitize the attribute value here or remove it entirely
        var sanitizedValue = ...;
        node.attr(name, santizedValue);
      });
    }
  });
});

Example: Using invalid_elements

invalid_elements: 'iframe,object,embed'

Acknowledgements

Tiny Technologies would like to thank Aaron Bishop at SecurityMetrics for discovering this vulnerability.

References

https://www.tiny.cloud/docs/release-notes/release-notes56/#securityfixes

For more information

If you have any questions or comments about this advisory:

• Open an issue in the TinyMCE repo
• Email us at infosec@tiny.cloud

GHSA-5vm8-hhgr-jcjp

Impact

A cross-site scripting (XSS) vulnerability was discovered in the URL sanitization logic of the core parser for form elements. The vulnerability allowed arbitrary JavaScript execution when inserting a specially crafted piece of content into the editor using the clipboard or APIs, and then submitting the form. However, as TinyMCE does not allow forms to be submitted while editing, the vulnerability could only be triggered when the content was previewed or rendered outside of the editor. This impacts all users who are using TinyMCE 5.7.0 or lower.

Patches

This vulnerability has been patched in TinyMCE 5.7.1 by improved URL sanitization logic.

Workarounds

To work around this vulnerability, either:

• Upgrade to TinyMCE 5.7.1 or higher
• Manually sanitize form URL attributes using a TinyMCE node filter.
• Disable form elements in your content using the invalid_elements setting.

Example: Sanitizing using a node filter

editor.parser.addNodeFilter('form', function(nodes) {
  nodes.forEach(function(node) {
    if (node.attributes) {
      node.attributes.forEach(function(attr) {
        var name = attr.name;
        var value = attr.value;
        // Sanitize the attribute value here or remove it entirely
        var sanitizedValue = ...;
        node.attr(name, santizedValue);
      });
    }
  });
});

Example: Using invalid_elements

invalid_elements: 'form'

Acknowledgements

Tiny Technologies would like to thank Mikhail Khramenkov at Solar Security Research Team for discovering this vulnerability.

References

https://www.tiny.cloud/docs/release-notes/release-notes571/#securityfixes

For more information

If you have any questions or comments about this advisory:

• Open an issue in the TinyMCE repo
• Email us at infosec@tiny.cloud

GHSA-5h9g-x5rv-25wg

Impact

A cross-site scripting (XSS) vulnerability was discovered in the schema validation logic of the core parser. The vulnerability allowed arbitrary JavaScript execution when inserting a specially crafted piece of content into the editor using the clipboard or editor APIs. This malicious content could then end up in content published outside the editor, if no server-side sanitization was performed. This impacts all users who are using TinyMCE 5.8.2 or lower.

Patches

This vulnerability has been patched in TinyMCE 5.9.0 by ensuring schema validation was still performed after unwrapping invalid elements.

Workarounds

To work around this vulnerability, either:

• Upgrade to TinyMCE 5.9.0 or higher
• Manually sanitize the content using the BeforeSetContent event (see below)

Example: Manually sanitize content

editor.on('BeforeSetContent', function(e) {
  var sanitizedContent = ...; // Manually sanitize content here
  e.content = sanitizedContent;
});

Acknowledgements

Tiny Technologies would like to thank William Bowling for discovering this vulnerability.

References

https://www.tiny.cloud/docs/release-notes/release-notes59/#securityfixes

For more information

If you have any questions or comments about this advisory:

• Email us at infosec@tiny.cloud
• Open an issue in the TinyMCE repo

GHSA-r8hm-w5f7-wj39

Impact

A cross-site scripting (XSS) vulnerability was discovered in the URL processing logic of the image and link plugins. The vulnerability allowed arbitrary JavaScript execution when updating an image or link using a specially crafted URL. This issue only impacted users while editing and the dangerous URLs were stripped in any content extracted from the editor. This impacts all users who are using TinyMCE 5.9.2 or lower.

Patches

This vulnerability has been patched in TinyMCE 5.10.0 by improved sanitization logic when updating URLs in the relevant plugins.

Workarounds

To work around this vulnerability, either:

• Upgrade to TinyMCE 5.10.0 or higher
• Disable the image and link plugins

Acknowledgements

Tiny Technologies would like to thank Yakir6 for discovering this vulnerability.

References

https://www.tiny.cloud/docs/release-notes/release-notes510/#securityfixes

For more information

If you have any questions or comments about this advisory:

• Email us at infosec@tiny.cloud
• Open an issue in the TinyMCE repo

---

Configuration

📅 Schedule: "" (UTC).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, click this checkbox.

---

This PR has been generated by WhiteSource Renovate. View repository job log here.