TinyMCE 6.8.5

These are the Tiny Cloud and TinyMCE Enterprise release notes. For information on the latest community version of TinyMCE, see the TinyMCE Changelog.

Overview

TinyMCE 6.8.5 was released for TinyMCE Enterprise and Tiny Cloud on Wednesday, October 10th, 2024.

These release notes provide an overview of the changes for TinyMCE 6.8.5, including:

Security fix

TinyMCE 6.8.5 includes one fix for the following security issue:

Invalid HTML elements within SVG elements were not removed

A cross-site scripting (XSS) vulnerability was discovered in DOMPurify that affects versions of TinyMCE prior to 6.8.5 release. The issue was a result of DOMPurify allowing some bypassing which lead to improper sanitization of invalid HTML elements within XML contexts, exploiting parsing inconsistencies between XML and HTML.

Affected Versions

DOMPurify versions prior to <3.1.7

Vulnerabilities

  • Invalid HTML Elements in SVG (CVE-2024-45801): Allowed invalid HTML elements within SVG to bypass sanitization.

  • XML Processing Instruction Bypass: Exploited differences in XML and HTML parsers regarding Processing Instructions, where XML parsed <?xml-stylesheet ><h1>Hello</h1> ?> as a single node, allowing h1 to bypass sanitization.

  • CDATA Section Bypass: Leveraged differences in CDATA section handling between XML and HTML namespaces, with CDATA treated as bogus comments in HTML, bypassing end token rules for sanitization.