Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-78714

Disable client-side TinyMCE DOM Purification

XMLWordPrintable

      TinyMCE has its own DOM Purification system using DOMPurify.

      There's a known bug with it, but we also have our own DOM Purifier in PHP.

      The bug we know about:

      Given I set "extended_valid_elements" to "script[*]"
      And I view source
      When I open Tools > Source code

      <script>
      const img = '<img src="example.jpg">';
      </script>
      

      And I press Save
      And I open Tools > Source code
      Then my content is gone

      Filed to TinyMCE via https://support.tiny.cloud/hc/en-us/requests/20246

      Their response:

      Our engineers have looked into this issue.

      We believe that DOMPurify, our HTML sanitizer, is being a little too aggressive in attempting to sanitize the source code here. This is not our intended behavior, and we have created an internal task to address this in a future release. We have not scheduled that work specifically yet. We will update you when we have more detailed information to share.

      Until this issue is resolved, one workaround would be to temporarily disable DOMPurify using this option:

      https://www.tiny.cloud/docs/tinymce/6/security/#turning-dompurify-off

      Please note, turning DOMPurify off leaves TinyMCE, and any application using TinyMCE, vulnerable to XSS attacks. Only turn DOMPurify off if alternative and equivalently capable HTML and XML sanitization and XSS protections are in place.

            dobedobedoh Andrew Lyons
            dobedobedoh Andrew Lyons
            Paul Holden Paul Holden
            Ilya Tregubov Ilya Tregubov
            Kim Jared Lucas Kim Jared Lucas
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved:

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 1 day, 1 hour, 1 minute
                1d 1h 1m

                  Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.