Users urged to update open source text editor
The vulnerability, discovered by security researcher Michał Bentkowski, has affected the core parser, paste, and visualchars plugins.
The issued fix has remedied the vulnerability through improved parser logic and HTML sanitization, which TinyMCE has detailed in release notes.
Users can also protect themselves by disabling the impacted plugins or manually sanitizing content using the BeforeSetContent event, Tiny suggests in its GitHub post.
Bentkowski declined to comment on his find until the release of details related to flaws that he’s also uncovered in other popular WYSIWYG editors.
He told The Daily Swig that he intends to disclose the information when “everyone gets their fixes.”
Tiny claims on its website that millions of people use TinyMCE each day, and that its rich text editor platforms together power more than 40% of the world’s websites.
In a statement to The Daily Swig, Dylan Just, software architect at Tiny, said:
The issue relates to content not being correctly sanitized before being loaded into the editor. We have released fixes for TinyMCE 4 and 5, but we recommend that all users upgrade to the latest TinyMCE 5.
Further to this, we recommend that users sanitize content server-side, and add a suitable content security policy to their websites.
Security is very important to us and our users, so security issues are given the highest priority of any type of issue at Tiny. Anyone discovering a vulnerability may report it by emailing firstname.lastname@example.org.
This article has been updated with comments from Tiny and researcher Michał Bentkowski.
RELATED ServiceDesk Plus vulnerability could give attackers full access to IT support systems