TinyMCE 6.8.5
These are the Tiny Cloud and TinyMCE Enterprise release notes. For information on the latest community version of TinyMCE, see the TinyMCE Changelog. |
Overview
TinyMCE 6.8.5 was released for TinyMCE Enterprise and Tiny Cloud on Wednesday, October 10th, 2024.
These release notes provide an overview of the changes for TinyMCE 6.8.5, including:
Security fix
TinyMCE 6.8.5 includes one fix for the following security issue:
Invalid HTML elements within SVG
elements were not removed
A cross-site scripting (XSS) vulnerability was discovered in DOMPurify that affects versions of TinyMCE prior to 6.8.5 release. The issue was a result of DOMPurify allowing some bypassing which lead to improper sanitization of invalid HTML elements within XML contexts, exploiting parsing inconsistencies between XML and HTML.
Vulnerabilities
-
Invalid HTML Elements in SVG (CVE-2024-45801): Allowed invalid HTML elements within
SVG
to bypass sanitization. -
XML Processing Instruction Bypass: Exploited differences in XML and HTML parsers regarding Processing Instructions, where XML parsed
<?xml-stylesheet ><h1>Hello</h1> ?>
as a single node, allowingh1
to bypass sanitization. -
CDATA Section Bypass: Leveraged differences in CDATA section handling between XML and HTML namespaces, with CDATA treated as bogus comments in HTML, bypassing end token rules for sanitization.
GHSA: GitHub Advisory
CVE: CVE-2024-45801