Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Dev] Resolve TinyMCE XSS vulnerabilities #2741

Closed
1 of 3 tasks
thetif opened this issue Jan 4, 2021 · 0 comments
Closed
1 of 3 tasks

[Dev] Resolve TinyMCE XSS vulnerabilities #2741

thetif opened this issue Jan 4, 2021 · 0 comments
Assignees
@thetif
Labels
Development Issues for the dev team resolve large research Dev research
Milestone
01/11/2021 - 01/2...

Comments

@thetif
Copy link
Contributor

thetif commented Jan 4, 2021
edited

The version of TinyMCE that we are using doesn't not current sanitize user data before saving it and displaying it. There are a couple of options to explore. Relates to #2685

This task is done when one of the following has been done

  • TinyMCE is upgraded to a version that is safe from XSS
  • all of the user data entered in a TinyMCE field is sanitized on every on* call (e.g. onerror, onload, etc)
  • a safer replacement is found for TinyMCE
@thetif thetif added Development Issues for the dev team resolve large research Dev research labels Jan 4, 2021
@nicholeweems nicholeweems added this to the 01/11/2021 - 01/22/2021 milestone Jan 7, 2021
@thetif thetif closed this as completed Jan 12, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@thetif thetif

Labels
Development Issues for the dev team resolve large research Dev research
Projects
None yet
Milestone
01/11/2021 - 01/22/2021
Development

No branches or pull requests
2 participants
@thetif @nicholeweems