Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SCEditor 3.0 #6535

Closed
jdarwood007 opened this issue Feb 24, 2021 · 0 comments · Fixed by #6549
Closed

SCEditor 3.0 #6535

jdarwood007 opened this issue Feb 24, 2021 · 0 comments · Fixed by #6549
Assignees
Milestone

Comments

@jdarwood007
Copy link
Member

Description

https://github.com/samclarke/SCEditor/releases/tag/v3.0.0

SCEditor has released a major update that has fixed some security issues, bugs and updated dependencies.

This needs tested and verified to ensure it is compatible with SMF 2.1

I'm tagging @live627 as he has helped fix some of the SCEditor bugs and has some good knowledge of the interworking.

This should be merged in RC4 because we need to see testing to ensure its stable before release.

@jdarwood007 jdarwood007 added this to the RC4 milestone Feb 24, 2021
live627 added a commit to live627/SMF2.1 that referenced this issue Mar 1, 2021
This main feature of this release is fix to prevent XSS with the default commands along with dropping IE and legacy Edge support.

The editor also now includes the [dompurify](https://github.com/cure53/DOMPurify)  library to help prevent any future XSS attacks. This isn't fully backwards compatible as `dompurify` may cause some HTML to be stripped. If you have any code that includes iframes, the allowed URLs will need to be added to the new `allowedIframeUrls` option.

The other breaking change is that the no longer supports IE and legacy Edge. The editor can still run in source mode in those browsers if the `runWithoutWysiwygSupport` option is enabled.

Resolves SimpleMachines#6535
live627 added a commit to live627/SMF2.1 that referenced this issue Mar 1, 2021
This main feature of this release is fix to prevent XSS with the default commands along with dropping IE and legacy Edge support.

The editor also now includes the [dompurify](https://github.com/cure53/DOMPurify)  library to help prevent any future XSS attacks. This isn't fully backwards compatible as `dompurify` may cause some HTML to be stripped. If you have any code that includes iframes, the allowed URLs will need to be added to the new `allowedIframeUrls` option.

The other breaking change is that the no longer supports IE and legacy Edge. The editor can still run in source mode in those browsers if the `runWithoutWysiwygSupport` option is enabled.

Resolves SimpleMachines#6535
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants