Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-78714

Disable client-side TinyMCE DOM Purification


      TinyMCE has its own DOM Purification system using DOMPurify.

      There's a known bug with it, but we also have our own DOM Purifier in PHP.

      The bug we know about:

      Given I set "extended_valid_elements" to "script[*]"
      And I view source
      When I open Tools > Source code

      const img = '<img src="example.jpg">';

      And I press Save
      And I open Tools > Source code
      Then my content is gone

      Filed to TinyMCE via https://support.tiny.cloud/hc/en-us/requests/20246

      Their response:

      Our engineers have looked into this issue.

      We believe that DOMPurify, our HTML sanitizer, is being a little too aggressive in attempting to sanitize the source code here. This is not our intended behavior, and we have created an internal task to address this in a future release. We have not scheduled that work specifically yet. We will update you when we have more detailed information to share.

      Until this issue is resolved, one workaround would be to temporarily disable DOMPurify using this option:


      Please note, turning DOMPurify off leaves TinyMCE, and any application using TinyMCE, vulnerable to XSS attacks. Only turn DOMPurify off if alternative and equivalently capable HTML and XML sanitization and XSS protections are in place.

            dobedobedoh Andrew Lyons
            dobedobedoh Andrew Lyons
            Paul Holden Paul Holden
            Ilya Tregubov Ilya Tregubov
            Kim Jared Lucas Kim Jared Lucas
            0 Vote for this issue
            5 Start watching this issue


                Original Estimate - Not Specified
                Not Specified
                Remaining Estimate - 0 minutes
                Time Spent - 1 day, 1 hour, 1 minute
                1d 1h 1m

                  Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.