Update dependency tinymce to 5.10.0 [SECURITY] - autoclosed #262
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
4.9.11
->5.10.0
GitHub Vulnerability Alerts
GHSA-h96f-fc7c-9r55
Impact
A regex denial of service (ReDoS) vulnerability was discovered in a dependency of the
codesample
plugin. The vulnerability allowed poorly formed ruby code samples to lock up the browser while performing syntax highlighting. This impacts users of thecodesample
plugin using TinyMCE 5.5.1 or lower.Patches
This vulnerability has been patched in TinyMCE 5.6.0 by upgrading to a version of the dependency without the vulnerability.
Workarounds
To work around this vulnerability, either:
codesample
pluginAcknowledgements
Tiny Technologies would like to thank Erik Krogh Kristensen at GitHub for discovering this vulnerability.
References
https://www.tiny.cloud/docs/release-notes/release-notes56/#securityfixes
For more information
If you have any questions or comments about this advisory:
GHSA-w7jx-j77m-wp65
Impact
A cross-site scripting (XSS) vulnerability was discovered in the URL sanitization logic of the core parser. The vulnerability allowed arbitrary JavaScript execution when inserting a specially crafted piece of content into the editor using the clipboard or APIs. This impacts all users who are using TinyMCE 5.5.1 or lower.
Patches
This vulnerability has been patched in TinyMCE 5.6.0 by improved URL sanitization logic.
Workarounds
To work around this vulnerability, either:
iframe
,object
andembed
URL attributes using a TinyMCE node filter.iframe
,object
, andembed
elements in your content using the invalid_elements setting.Example: Sanitizing using a node filter
Example: Using invalid_elements
invalid_elements: 'iframe,object,embed'
Acknowledgements
Tiny Technologies would like to thank Aaron Bishop at SecurityMetrics for discovering this vulnerability.
References
https://www.tiny.cloud/docs/release-notes/release-notes56/#securityfixes
For more information
If you have any questions or comments about this advisory:
GHSA-5vm8-hhgr-jcjp
Impact
A cross-site scripting (XSS) vulnerability was discovered in the URL sanitization logic of the core parser for
form
elements. The vulnerability allowed arbitrary JavaScript execution when inserting a specially crafted piece of content into the editor using the clipboard or APIs, and then submitting the form. However, as TinyMCE does not allow forms to be submitted while editing, the vulnerability could only be triggered when the content was previewed or rendered outside of the editor. This impacts all users who are using TinyMCE 5.7.0 or lower.Patches
This vulnerability has been patched in TinyMCE 5.7.1 by improved URL sanitization logic.
Workarounds
To work around this vulnerability, either:
form
URL attributes using a TinyMCE node filter.form
elements in your content using the invalid_elements setting.Example: Sanitizing using a node filter
Example: Using invalid_elements
invalid_elements: 'form'
Acknowledgements
Tiny Technologies would like to thank Mikhail Khramenkov at Solar Security Research Team for discovering this vulnerability.
References
https://www.tiny.cloud/docs/release-notes/release-notes571/#securityfixes
For more information
If you have any questions or comments about this advisory:
GHSA-5h9g-x5rv-25wg
Impact
A cross-site scripting (XSS) vulnerability was discovered in the schema validation logic of the core parser. The vulnerability allowed arbitrary JavaScript execution when inserting a specially crafted piece of content into the editor using the clipboard or editor APIs. This malicious content could then end up in content published outside the editor, if no server-side sanitization was performed. This impacts all users who are using TinyMCE 5.8.2 or lower.
Patches
This vulnerability has been patched in TinyMCE 5.9.0 by ensuring schema validation was still performed after unwrapping invalid elements.
Workarounds
To work around this vulnerability, either:
BeforeSetContent
event (see below)Example: Manually sanitize content
Acknowledgements
Tiny Technologies would like to thank William Bowling for discovering this vulnerability.
References
https://www.tiny.cloud/docs/release-notes/release-notes59/#securityfixes
For more information
If you have any questions or comments about this advisory:
GHSA-r8hm-w5f7-wj39
Impact
A cross-site scripting (XSS) vulnerability was discovered in the URL processing logic of the
image
andlink
plugins. The vulnerability allowed arbitrary JavaScript execution when updating an image or link using a specially crafted URL. This issue only impacted users while editing and the dangerous URLs were stripped in any content extracted from the editor. This impacts all users who are using TinyMCE 5.9.2 or lower.Patches
This vulnerability has been patched in TinyMCE 5.10.0 by improved sanitization logic when updating URLs in the relevant plugins.
Workarounds
To work around this vulnerability, either:
image
andlink
pluginsAcknowledgements
Tiny Technologies would like to thank Yakir6 for discovering this vulnerability.
References
https://www.tiny.cloud/docs/release-notes/release-notes510/#securityfixes
For more information
If you have any questions or comments about this advisory:
Configuration
📅 Schedule: "" (UTC).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by WhiteSource Renovate. View repository job log here.