Users urged to update open source text editor

UPDATED A security update has been released for the popular open source text editor TinyMCE after a researcher discovered a a cross-site scripting (XSS) vulnerability impacting three of its plugins.

Marked as ‘high’ severity, the flaw allows for “arbitrary JavaScript execution when inserting a specially crafted piece of content into the editor via the clipboard or APIs”, according to a post from the developer, Tiny Technologies, on GitHub.

The TinyMCE compatibility with JavaScript libraries and easy integration into content management systems has made it a popular tool used by developers.

Users of TinyMCE 4.9.6 or lower and TinyMCE 5.1.3 or lower are impacted by the flaw and urged to upgrade to the latest versions – TinyMCE 4.9.7 and 5.1.4.

The vulnerability, discovered by security researcher Michał Bentkowski, has affected the core parser, paste, and visualchars plugins.

The issued fix has remedied the vulnerability through improved parser logic and HTML sanitization, which TinyMCE has detailed in release notes.

Users can also protect themselves by disabling the impacted plugins or manually sanitizing content using the BeforeSetContent event, Tiny suggests in its GitHub post.

Bentkowski declined to comment on his find until the release of details related to flaws that he’s also uncovered in other popular WYSIWYG editors.

He told The Daily Swig that he intends to disclose the information when “everyone gets their fixes.”

Tiny claims on its website that millions of people use TinyMCE each day, and that its rich text editor platforms together power more than 40% of the world’s websites.

In a statement to The Daily Swig, Dylan Just, software architect at Tiny, said:

The issue relates to content not being correctly sanitized before being loaded into the editor. We have released fixes for TinyMCE 4 and 5, but we recommend that all users upgrade to the latest TinyMCE 5.

Further to this, we recommend that users sanitize content server-side, and add a suitable content security policy to their websites.

Security is very important to us and our users, so security issues are given the highest priority of any type of issue at Tiny. Anyone discovering a vulnerability may report it by emailing

This article has been updated with comments from Tiny and researcher Michał Bentkowski.

RELATED ServiceDesk Plus vulnerability could give attackers full access to IT support systems