Allow TinyMCE to convert safe embed/objects to audio/img/video #16834
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
TinyMCE recently published 2 security advisories:
By default, we are not impacted by these security issues, but it is still preferable to upgrade to a version that is not marked as vulnerable. For the moment, the 6.8.1+ versions are still considered as vulnerable, but they should probably not, see tinymce/tinymce#9513.
For the vulnerability related to usage of
iframe
, we already block them unless people set theGLPI_ALLOW_IFRAME_IN_RICH_TEXT
totrue
. In this case, I think we should not set thesandbox_iframes
option to true (see https://www.tiny.cloud/docs/tinymce/6/security/#sandbox-iframes-option) as I guess people may sometimes use forms or scripts in their own iframes, and that is probably the reason they are enable them.For the vulnerability related to usage of
object
andembed
elements, we do not allow them for the moment. I propose to allow them now, as they will be converted toaudio
/img
/video
tags when possible, or intoiframe
tags otherwise thanks toconvert_unsafe_embeds
. IfGLPI_ALLOW_IFRAME_IN_RICH_TEXT
is not set totrue
, the resultingiframe
tags will be discarded automatically (once tinymce/tinymce#9516 will be fixed).I keep this PR as a draft, waiting for tinymce/tinymce#9513 and tinymce/tinymce#9516 to be fixed.