There is an XSS vulnerability in
tinymce before version 5.7.1.
A cross-site scripting (XSS) vulnerability was discovered in the URL sanitization logic of the core parser for
This vulnerability has been patched in TinyMCE 5.7.1 by improved URL sanitization logic.
To work around this vulnerability, either:
- Upgrade to TinyMCE 5.7.1 or higher
- Manually sanitize
formURL attributes using a TinyMCE node filter.
formelements in your content using the invalid_elements setting.
Example: Sanitizing using a node filter
Example: Using invalid_elements
Tiny Technologies would like to thank Mikhail Khramenkov at Solar Security Research Team for discovering this vulnerability.
For more information
If you have any questions or comments about this advisory:
Upgrade to version 5.7.1 or later
publishedAdvisory PublishedJun 1st, 2021
reportedReported by AnonymousMay 28th, 2021