Start trial
PricingContact Us
Log InStart For Free

XSS security issue - Tiny’s commitment

August 12th, 2020

3 min read

Laptop keyboard viewed from the side with screen half closed.

Written by

Dylan Just

Category

Developer Insights

Tagged

Tiny has released a security update for its open source HTML editor based on a cross-site scripting (XSS) vulnerability discovered by Bishop Fox Labs.

What is the security issue? 

TinyMCE 4 prior to 4.9.11 and TinyMCE 5 prior to 5.4.1 are affected by a vulnerability in their content sanitization logic, which allows an attacker to bypass these built-in cross-site scripting (XSS) protections and execute arbitrary JavaScript code.

This vulnerability can be mitigated with holistic XSS protections from the application, such as a strict content security policy (CSP), or by updating TinyMCE to version 4.9.11 or 5.4.1.

Applying security updates

Our users consume TinyMCE through several channels, so the patching process is different for each.

Open Source users typically consume TinyMCE via NPM. These users should use their package manager (typically NPM or Yarn) to update the package.

Our commercial users consume TinyMCE through our cloud or self-hosted offerings.

Cloud users add TinyMCE to their web pages using a script tag with a URL like this one below, filling in MY_API_KEY with their API Key shown in My Account.

https://cdn.tiny.cloud/1/MY_API_KEY/tinymce/5/tinymce.min.js

Note the "5" in the URL – this denotes the major version of TinyMCE. Any users using this URL will automatically receive the update. Some users may be using "4" or "stable" – these users will receive the security fixes, but we strongly recommend that they switch to "5" to get the latest updates.

Self-hosted customers can download updates to TinyMCE through My Account.

TinyMCE & security

TinyMCE is a web-based rich text editor. It loads HTML content, provides a powerful editing experience, then allows the content to be retrieved, for example, to publish on a web page. It is a component that's integrated into many web-based user interfaces – typically Content Management Systems (CMS) and Learning Management Systems (LMS).

When HTML content is loaded into TinyMCE – either by JavaScript calls, pasting content, or other user input – TinyMCE must not execute any scripts contained in this content. The vulnerability listed is of this form – TinyMCE is not correctly sanitizing the content before including it in the browser DOM, and so the embedded script is executed.

General recommendations

As a JavaScript component, TinyMCE is just one part of the content lifecycle. When a web app extracts content from TinyMCE, we strongly recommend that the content is sanitized server-side before saving or publishing. This is no different to any other input coming from a web page – someone could put a script tag in an input or textarea tag, but it's up to the app itself to make sure the content is safe before publishing or rendering. If the integrating app does this, then this whole class of vulnerability is mitigated.

We also recommend the use of a Content Security Policy to further mitigate XSS vectors.

Tiny's security response process

Security is very important to us and our users, so security issues are given the highest priority of any type of issue at Tiny.

Anyone discovering a vulnerability may report it by emailing infosec@tiny.cloud. Tiny customers may also log issues through the Tiny support system.

When security issues are reported, our InfoSec team assesses the severity and impact of the issue and decides on a course of action. If the issue requires a change to a product, we consult with the relevant engineering team, and the issue is given top priority. The issue will be addressed in all supported versions, first in any open source versions, then immediately in our commercial versions.

Once the issue is fixed in the commercial versions, we issue security alerts. GitHub security reports are great for this, as GitHub is such a well-known system, and it integrates well into many company's patching workflow.

Our InfoSec team also holds a quarterly review to discuss all issues raised in the quarter, and to make process improvements going forward.

Stay up to date with what's happening at Tiny by following us on Twitter, and don't hesitate to contact us with any questions or feedback at all.

Security
byDylan Just

Dylan Just is Tiny's Principal Architect and manages our integrations and IT team. A long-time Tiny veteran, Dylan has contributed to many of our products, and now focuses on how engineering works across teams.

Related Articles

  • Developer InsightsNov 7th, 2024

    Meet the Top Experts at Frontend Nation 2024 with TinyMCE

Join 100,000+ developers who get regular tips & updates from the Tiny team.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Tiny logo

Stay Connected

SOC2 compliance badge

Products

TinyMCEDriveMoxieManager
© Copyright 2024 Tiny Technologies Inc.

TinyMCE® and Tiny® are registered trademarks of Tiny Technologies, Inc.