-
Bug
-
Resolution: Fixed
-
Critical
-
4.1.4, 4.2.1
TinyMCE has its own DOM Purification system using DOMPurify.
There's a known bug with it, but we also have our own DOM Purifier in PHP.
The bug we know about:
Given I set "extended_valid_elements" to "script[*]"
And I view source
When I open Tools > Source code
<script>
|
const img = '<img src="example.jpg">';
|
</script>
|
And I press Save
And I open Tools > Source code
Then my content is gone
Filed to TinyMCE via https://support.tiny.cloud/hc/en-us/requests/20246
Their response:
Our engineers have looked into this issue.
We believe that DOMPurify, our HTML sanitizer, is being a little too aggressive in attempting to sanitize the source code here. This is not our intended behavior, and we have created an internal task to address this in a future release. We have not scheduled that work specifically yet. We will update you when we have more detailed information to share.
Until this issue is resolved, one workaround would be to temporarily disable DOMPurify using this option:
https://www.tiny.cloud/docs/tinymce/6/security/#turning-dompurify-off
Please note, turning DOMPurify off leaves TinyMCE, and any application using TinyMCE, vulnerable to XSS attacks. Only turn DOMPurify off if alternative and equivalently capable HTML and XML sanitization and XSS protections are in place.