[staging] Update TinyMCE

[brianteeman]

This PR updates tinymce to version 4.5.11 - this is the highest version we can include in Joomla 3 due to browser support

Version 4.5.11 (2019-05-16)
Fixed bug where the editor would scroll to the top of the editable area if a dialog was closed in inline mode. #TINY-1073
Version 4.5.10 (2018-10-19)
Changed the contextual toolbar shortcut to Ctrl+F9 since an Edge shortcut interfered with the previous one.

Updated references to website and company name

[brianteeman]

@zero-24 @SniperSister can you take a look at rips please

Failure: Can't connect to the API

[Quy]

I have tested this item ✅ successfully on 3f98219

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/24978.}

[viocassel]

I have tested this item ✅ successfully on dabc0f6

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/24978.}

[Quy]

RTC

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/24978.}

[HLeithner]

thx

[HLeithner]

thx

[brianteeman]

thanks

[BurtNL]

Could the introduction of this new version of Tiny MCE cause issues in modules that are created by third parties? I am using third party modules in which HTML markup is used, in textarea fields. Until J 3.9.6 this was no problem, but in J 3.9.8 all HTML markup is stripped out. Besides the update to J 3.9.8 no other settings were changed regarding Text Filtering and so on.
I have looked at the settings in the Tiny MCE plugin and tried different settings, without good result, the HTML markup gets stripped out of all fields in the third party module.

[brianteeman]

No this would have no impact

[HLeithner]

There is an issue with custom subfields and filtering html from textarea and edtor fields.
This is already fixed for the next version.

Do you mean this?

[BurtNL]

Hope the screenshots makes clear what I mean. In J3.9.6 HTML is allowed and saved properly.
After update to J3.9.8 exactly the same module gets stripped out of HTML.
As said before, I haven't changed or updated anything else besides the Joomla version.

[BurtNL]

I know it is not core Joomla, but I would not have expected this.

[HLeithner]

This problem is fixed in #25189 it will be fixed with the next version. In the meantime you could apply the patch.

[BurtNL]

I have downloaded both files from #25189 and replaced them in my local Joomla setup, but it does not solve the issue. The HTML is still stripped. For Custom module (core) is works good, but for the third party modules not.

[BurtNL]

I will download staging tomorrow and give it try again.

[BurtNL]

Just downloaded and installed J 3.9.9-dev, but still seeing the same issue.

After entering

Training

and saving only the text is left, HTML is gone.
In J 3.9.6 not an issue.

[HLeithner]

@ReLater could you please check if its releated to your PR and if we can fix it?

[ReLater]

It's not related to my pr directly. I just provided a fix for a similiar issue for subform fields in com_fields::repeatable. And the issue here is not related to TinyMCE

All extensions that use subform fields MUST add an attribute filter to their subform child fields of type editor, textarea, text (maybe others, too) since Joomla 3.9.7 like it's common for "normal" JForm fields if you want to allow HTML input. Otherwise the validation falls back to STRING, which is the common behavior for "normal" JForm fields.

e.g.
filter="safehtml"
filter="JComponentHelper::filterText"
filter="raw" (bad decision in most cases)

Reason is a SECURITY fix in Joomla 3.9.7. Subform child fields weren't validated before that fix and for example JavaScript injections were possible without any cleaning.

Before that fix filter attributes in subform child fields were completely effectless!!

Example from core for a "good" field declaration:

<field
	name="tag_list_description"
	type="textarea"
	class="inputbox"
	label="COM_TAGS_SHOW_TAG_LIST_DESCRIPTION_LABEL"
	description="COM_TAGS_TAG_LIST_DESCRIPTION_DESC"
	rows="3"
	cols="30"
	filter="safehtml"
/>

[ReLater]

FYI: Added info to docs: https://docs.joomla.org/Subform_form_field_type#Beware.21

Maybe it should be propagated at other locations, too.

[HLeithner]

Thx @ReLater for the confirmation.

@BurtNL can you please contact the author of the extension und notify him/her of this change?

[BurtNL]

Thanks @ReLater and @HLeithner , I have informed the author of this module already and send him the links to this thread and the docs.