Additional optional sanitization of scripting in TinyMCE #10653
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
nielslyngsoe
added
the
state/sprint-candidate
|
I've updated this so the patch is only applied if the following is present in the appsettings section of web.config: If the key is missing or set the false the patch will not be applied, making it opt-in, I've also updated the Ideally, I would like to have placed this in either the security section of |
nul800sebastiaan
changed the title
nul800sebastiaan
added
release/8.18.0
release/9.1.0
type/feature
and removed
state/sprint-candidate
nul800sebastiaan
deleted the
v8/feature/TinyMCE-scripting-vulnerability-fix
branch
nul800sebastiaan
pushed a commit
that referenced
this pull request
Nov 3, 2021
(cherry picked from commit f68dba7)
|
Cherry picked for 8.17.1 in 23ce69d |
bergmania
added a commit
that referenced
this pull request
Nov 22, 2021
* Changes to GetReducedEventList (#11444) * Instead of only using first event, we combine events of same type into a single event with multiple arguments * Added generic method to DRY up grouping logic. * Renamed method to better reflect new functionality. Co-authored-by: Andy Butland <[email protected]> * Merge pull request #11360 from umbraco/v8/bugfix/11057-mandatory-image-not-validating-after-first-time-failure Fixes 11057: Mandatory Image not validating after first time failure (cherry picked from commit 5cc70d2) * Additional optional sanitization of scripting in TinyMCE (#10653) (cherry picked from commit f68dba7) * Bump version to 8.17.1 * Hide localization key while loading * ContentVersion cleanup backoffice UI (#11637) * init rollback ui prototype * add busy state to button, deselect version, add pagination status * add localisation * style current version * disable rollback button when nothing is selected * stop click event * Endpoints for paginated content versions. Light on tests, tight on time. * Endpoints to "pin" content versions * camel case json output. Not sure why json formatter not set for controller, bit risky to add it now * wire up paging * wire up pin/unpin * rename getPagedRollbackVersions to getPagedContentVersions * prevent selection of current version and current draft * add current draft and current version to UI * remove pointer if the row is not selectable * Improve warning for globally disabled cleanup feature. * Fix current loses prevent cleanup state on publish. * Added umbracoLog audit entries for "pin" / "unpin" * Match v9 defaults for keepVersions settings * Fix - losing preventCleanup on save current with content changes * update pin/unpin button labels * fix pagination bug * add missing " * always send culture when a doc type can vary Co-authored-by: Mads Rasmussen <[email protected]> * Bugfix - DocumentVersionRepository.Get should not join culture variation * Bugfix - Missing write lock * Bugfix - Policy returns items to delete not items to keep. Switch to inverse behavior. Co-authored-by: Andy Butland <[email protected]> Co-authored-by: Nikolaj Geisle <[email protected]> Co-authored-by: Niels Lyngsø <[email protected]> Co-authored-by: Sebastiaan Janssen <[email protected]> Co-authored-by: Ronald Barendse <[email protected]> Co-authored-by: Paul Johnson <[email protected]> Co-authored-by: Mads Rasmussen <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
As of GHSA-w7jx-j77m-wp65 and GHSA-5vm8-hhgr-jcjp we need to ensure to prevent inserting inline arbitrary JavaScript execution in HTML of the TinyMCE editor.
This fix eliminates the option to insert inline 'on' attributes.
This fix also eliminates using javascript in URIs of various element types. Including checking the validity of the URIs. If not a valid URI then it will be removed.
This also means that inline data in src tag is being limited to only be possible for data of type image or svg.
The additional sanitization is disabled for sites that are upgrading from an older version. Clean installs of Umbraco will have the option enabled by default. Enabling the option will not automatically remove any stored scripting, each TinyMCE instance on each content item will need to be saved manually.
Enabling the additional sanitization can be done in the
web.configby adding the followingappSetting:This works is based on the fixes done for TinyMCE v5:
We determined which attributes can contain possibly problematic scripting.
Enabling this configuration will do the following:
on(onClick,onMouseOver, etc).srchrefdatabackgroundactionformactionposterxlink:hrefdata:imageattribute onimgandvideotags, scripts in those tags never get executed by browsersThis fixes #10217
This item has been added to our backlog AB#13289