A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s content insertion code. This allowed iframe
elements containing malicious code to execute when inserted into the editor. These iframe
elements are restricted in their permissions by same-origin browser protections, but could still trigger operations such as downloading of malicious assets.
TinyMCE 6.8.1 introduced a new sandbox_iframes
boolean option which adds the sandbox=""
attribute to every iframe
element by default when enabled. This will prevent cross-origin, and in special cases same-origin, XSS by embedded resources in iframe
elements. From TinyMCE 7.0.0 onwards the default value of this option is true
.
In TinyMCE 7.0.0 a new sandbox_iframes_exclusions
option was also added, allowing a list of domains to be specified that should be excluded from having the sandbox=""
attribute applied when the sandbox_iframes
option is enabled. By default, this option is set to an array of domains that are provided in embed code by popular websites. To sandbox iframe
elements from every domain, set this option to []
.
The HTTP Content-Security-Policy (CSP) frame-src
or object-src
can be configured to restrict or block the loading of unauthorized URLS. Refer to the TinyMCE Content Security Policy Guide.
{ "nvd_published_at": "2024-03-26T14:15:08Z", "cwe_ids": [ "CWE-79" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2024-03-26T21:23:47Z" }