When it comes to developing software for commercial use, more and more developers understand the importance of security. They understand the need to embed it firmly in every aspect of their products, from the ground up. That’s why, at Tiny, security is a top priority.
We know it’s important that you are able to keep information and data secure; otherwise, you risk losing customers, running into legal problems, and leaking sensitive data which can tarnish your brand. You need to be in control of the confidentiality, integrity, and availability of the data you’re working with.
Attacks like denial-of-service, man-in-the-middle, SQL injection, cross-site scripting, brute force, etc. are happening all the time with somewhere around 30,000 websites getting hacked every single day.
TinyMCE is used as the text entry component in 100M+ products, and those products are used by companies in finance, government, defense, health, education, where compromised data can have truly catastrophic consequences. As a company in any of these sectors, you want to minimize the risk of having your data compromised in any way. At Tiny, we have a responsibility to do our part in all of this.
It should be no surprise then that we have an InfoSec team working together to ensure TinyMCE is as secure as possible based on the latest known methods of attack, and responding quickly to new threats and vulnerabilities.
Knowing the extent of our user base, and the security-critical nature of many of our customers, and our customers’ clients, our InfoSec team wastes no time in responding to new threats and vulnerabilities, working closely with our engineering team to apply patches to our codebase as required.
Just recently, security researcher Michał Bentkowski conducted extensive research into the risks of pasting arbitrary content in browsers, including an analysis of WYSIWYG editors such as CKEditor, Froala, and our own TinyMCE. As part of his research, he reported security vulnerabilities against all three WYSIWYG editors, which we resolved as soon as it was uncovered, as well as other popular software such as Google Docs.
Typically, all WYSIWYG editors handle the paste event themselves, processing and manipulating the HTML in some way. TinyMCE does this, for example, to handle incoming content from other popular apps like Microsoft Word and Excel in a clean way, to normalize pasted elements, and remove dangerous ones.
When it comes to handling HTML, we avoid extensive processing with regular expressions and string processing, which helps to minimize vulnerabilities.
With the few vulnerabilities that were found, we responded quickly to reduce any potential risk to our clients.
When security issues are reported, our InfoSec team assesses the severity and impact of the issue and decides on a course of action. If the issue requires a change to a product, we consult with the relevant engineering team, and the issue is given top priority. The issue is addressed in all supported versions. Once the issue is fixed in the commercial versions, we issue security alerts. GitHub security reports are great for this, as GitHub is such a well-known system, and it integrates well into many company’s patching workflow.
The last thing we’re going to let happen is for any zero-day vulnerabilities to be exploited due to negligence on our part.
Building a rich text editor is extremely complex. There are already a lot of use cases and edge cases you need to cater for, and security is another contributing factor. That’s why we employ some of the best engineering minds in the business, and have our own dedicated, in-house QA team that runs comprehensive tests. It’s this level of experience and rigor that gives us the reputation of being the most advanced, flexible, WYSIWYG HTML editor available.
Having an open source core exposes our code for everyone to see, which means we also have the power of the community behind it. Some of the best minds are also out in the wider community, like Michał, and they work with us to ensure we catch any other bugs that might occasionally slip through.
This article has prompted a lot of renewed discussion in our sector about security, and within the Tiny office about what else we can do to enhance security for our users. With our dedicated InfoSec team here at Tiny we are continuing to monitor and improve security across all of our product lines.
Security is important to us and our users, so security issues are given the highest priority of any type of issue at Tiny.
Anyone discovering a vulnerability may report it by emailing infosec@tiny.cloud. Tiny customers may also log issues through the Tiny support system.
For more information, refer to our documentation about TinyMCE and security.
Not yet using TinyMCE on the cloud? When you’re on the cloud, you’ll always be up to date with the latest build and newest features. Get a free API Key and try it out (you’ll also get a free trial of our premium plugins!)