XSS Vulnerabilities Patched with TinyMCE 6.8.4
EPiServer.CMS.TinyMce NuGet package, version 4.8.1, brings TinyMCE 6.8.4 to Optimizely CMS 12, focusing on security improvements by addressing two critical XSS vulnerabilities.
TinyMCE 6.8.4 includes the following security patches:
-
Improved Parsing for
noscript
Elements: A double-decoding issue withnoscript
elements that previously created an XSS risk have now been fully resolved. -
Tighter Security with
noneditable_regexp
: This update addresses a vulnerability allowing specific HTML attributes to bypass validation when using thenoneditable_regexp
option, ensuring all attributes are properly verified.
This update enhances content security and is a recommended upgrade for CMS 12 users. It adds a stronger layer of protection against content-based attacks.