Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

DOC Document TinyMCE changes #498

Merged
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -142,6 +142,8 @@ TinyMCEConfig::get('cms')->removeButtons('tablecontrols', 'blockquote', 'hr');
TinyMCE behaviour can be affected through its [configuration options](https://www.tiny.cloud/docs/tinymce/6/basic-setup).
These options will be passed straight to the editor.

A default set of options has been defined in the [`TinyMCEConfig.default_options`](api:SilverStripe\Forms\HTMLEditor\TinyMCEConfig->default_options) configuration property.

One example of the usage of this capability is to redefine the TinyMCE's [whitelist of HTML
tags](https://www.tiny.cloud/docs/tinymce/6/content-filtering/#extended_valid_elements) - the tags that will not be stripped
from the HTML source by the editor.
Expand Down
23 changes: 23 additions & 0 deletions en/08_Changelogs/5.3.0.md
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,21 @@ title: 5.3.0 (unreleased)

## Features and enhancements

### Changes to `TinyMCEConfig` {#changes-to-tinymce}

In order to facilitate fixing a bug related to the sanitisation of HTML content via the [`HTMLEditorSanitiser`](api:SilverStripe\Forms\HTMLEditor\HTMLEditorSanitiser) class, some changes had to be made to the [`TinyMCEConfig`](api:SilverStripe\Forms\HTMLEditor\TinyMCEConfig) class. Those changes are as follows:

- If `valid_elements` and `extended_valid_elements` are both empty, all HTML elements will be stripped out of the HTML content.
- A default set of `valid_elements` has been defined for all `TinyMCEConfig` instances. If you use custom `TinyMCEConfig` definitions and have not explicitly set the `valid_elements` option, you may have more elements permitted than you were expecting.
- There is a new [`TinyMCEConfig.default_options`](api:SilverStripe\Forms\HTMLEditor\TinyMCEConfig->default_options) configuration property which allows you to define the default options for all `TinyMCEConfig` instances.

> [!WARNING]
> If you use custom `TinyMCEConfig` definitions, we strongly recommend double checking if they include a definition of `valid_elements`, and if they don't, validate whether the default set defined in `TinyMCEConfig.default_options` is suitable for you.
>
> You can either change the `TinyMCEConfig.default_options` configuration value to affect the options for all `TinyMCEConfig` definitions, or explicitly define `valid_elements` for your specific configuration instances. See [setting options](/developer_guides/forms/field_types/htmleditorfield/#setting-options) for more details.

See [sanitisation of HTML](#sanitisation-of-html) for more information about the bug that was fixed.

### High-level API for converting files {#file-converter}

There is now a high-level API for converting files from one format to another. This builds on top of the low-level API which was [added in 5.2.0](/changelogs/5.2.0/#file-variants).
Expand Down Expand Up @@ -49,6 +64,14 @@ This is particularly helpful if you need to update columns in one table to match

This release includes a number of bug fixes to improve a broad range of areas. Check the change logs for full details of these fixes split by module. Thank you to the community members that helped contribute these fixes as part of the release!

### Sanitisation of HTML

When you save content in a `HTMLEditorField`, the [`HTMLEditorSanitiser`](api:SilverStripe\Forms\HTMLEditor\HTMLEditorSanitiser) class is responsible for ensuring the HTML content is safe and matches the `valid_elements` and `extended_valid_elements` options you've defined.

There was a bug that resulted in `HTMLEditorSanitiser` using the 'active' `HTMLEditorConfig` instance rather than the instance which was defined for the field. In many cases this goes unnoticed because the default active instance is very permissive, and TinyMCE does a lot of this work on the client-side, but it was possible to bypass the defined allowed HTML elements by sending requests directly to the server.

This bug has been fixed, but some additional changes were required to facilitate it. See [changes to `TinyMCEConfig`](#changes-to-tinymce) for more details about those changes.

<!--- Changes below this line will be automatically regenerated -->

<!--- Changes above this line will be automatically regenerated -->
Loading