Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[staging] Update TinyMCE #24978

Merged
merged 3 commits into from Jun 5, 2019

Conversation

Projects
None yet
7 participants
@brianteeman
Copy link
Contributor

commented May 22, 2019

This PR updates tinymce to version 4.5.11 - this is the highest version we can include in Joomla 3 due to browser support

Version 4.5.11 (2019-05-16)
Fixed bug where the editor would scroll to the top of the editable area if a dialog was closed in inline mode. #TINY-1073
Version 4.5.10 (2018-10-19)
Changed the contextual toolbar shortcut to Ctrl+F9 since an Edge shortcut interfered with the previous one.

Updated references to website and company name

[staging] Update TinyMCE
This PR updates tinymce to version 4.5.11 - this is the highest version we can include in Joomla 3 due to browser support

Version 4.5.11 (2019-05-16)
  Fixed bug where the editor would scroll to the top of the editable area if a dialog was closed in inline mode. #TINY-1073
Version 4.5.10 (2018-10-19)
  Changed the contextual toolbar shortcut to Ctrl+F9 since an Edge shortcut interfered with the previous one.

Updated references to website and company name
@brianteeman

This comment has been minimized.

Copy link
Contributor Author

commented May 22, 2019

@zero-24 @SniperSister can you take a look at rips please

Failure: Can't connect to the API

Update plugins/editors/tinymce/tinymce.xml
Co-Authored-By: Quy <quy@fluxbb.org>
@Quy

This comment has been minimized.

Copy link
Contributor

commented May 30, 2019

I have tested this item successfully on 3f98219


This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/24978.

@viocassel

This comment has been minimized.

Copy link
Contributor

commented Jun 5, 2019

I have tested this item successfully on dabc0f6


This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/24978.

@Quy

This comment has been minimized.

Copy link
Contributor

commented Jun 5, 2019

RTC


This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/24978.

@joomla-cms-bot joomla-cms-bot added the RTC label Jun 5, 2019

@HLeithner HLeithner merged commit 1777496 into joomla:staging Jun 5, 2019

3 of 5 checks passed

continuous-integration/appveyor/pr AppVeyor build failed
Details
JTracker/HumanTestResults Human Test Results: 1 Successful 0 Failed.
Details
Hound No violations found. Woof!
continuous-integration/drone/pr Build is passing
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
@HLeithner

This comment has been minimized.

Copy link
Member

commented Jun 5, 2019

thx

1 similar comment
@HLeithner

This comment has been minimized.

Copy link
Member

commented Jun 5, 2019

thx

@joomla-cms-bot joomla-cms-bot removed the RTC label Jun 5, 2019

@HLeithner HLeithner added this to the Joomla 3.9.7 milestone Jun 5, 2019

@brianteeman

This comment has been minimized.

Copy link
Contributor Author

commented Jun 5, 2019

thanks

@brianteeman brianteeman deleted the brianteeman:tinymce branch Jun 5, 2019

@BurtNL

This comment has been minimized.

Copy link
Contributor

commented Jun 15, 2019

Could the introduction of this new version of Tiny MCE cause issues in modules that are created by third parties? I am using third party modules in which HTML markup is used, in textarea fields. Until J 3.9.6 this was no problem, but in J 3.9.8 all HTML markup is stripped out. Besides the update to J 3.9.8 no other settings were changed regarding Text Filtering and so on.
I have looked at the settings in the Tiny MCE plugin and tried different settings, without good result, the HTML markup gets stripped out of all fields in the third party module.

@brianteeman

This comment has been minimized.

Copy link
Contributor Author

commented Jun 15, 2019

No this would have no impact

@HLeithner

This comment has been minimized.

Copy link
Member

commented Jun 15, 2019

There is an issue with custom subfields and filtering html from textarea and edtor fields.
This is already fixed for the next version.

Do you mean this?

@BurtNL

This comment has been minimized.

Copy link
Contributor

commented Jun 15, 2019

J396
J398

Hope the screenshots makes clear what I mean. In J3.9.6 HTML is allowed and saved properly.
After update to J3.9.8 exactly the same module gets stripped out of HTML.
As said before, I haven't changed or updated anything else besides the Joomla version.

@BurtNL

This comment has been minimized.

Copy link
Contributor

commented Jun 15, 2019

I know it is not core Joomla, but I would not have expected this.

@HLeithner

This comment has been minimized.

Copy link
Member

commented Jun 15, 2019

This problem is fixed in #25189 it will be fixed with the next version. In the meantime you could apply the patch.

@BurtNL

This comment has been minimized.

Copy link
Contributor

commented Jun 15, 2019

I have downloaded both files from #25189 and replaced them in my local Joomla setup, but it does not solve the issue. The HTML is still stripped. For Custom module (core) is works good, but for the third party modules not.

@BurtNL

This comment has been minimized.

Copy link
Contributor

commented Jun 15, 2019

I will download staging tomorrow and give it try again.

@BurtNL

This comment has been minimized.

Copy link
Contributor

commented Jun 15, 2019

Just downloaded and installed J 3.9.9-dev, but still seeing the same issue.

J399-dev

After entering

Training

and saving only the text is left, HTML is gone.
In J 3.9.6 not an issue.

@HLeithner

This comment has been minimized.

Copy link
Member

commented Jun 15, 2019

@ReLater could you please check if its releated to your PR and if we can fix it?

@ReLater

This comment has been minimized.

Copy link
Contributor

commented Jun 16, 2019

It's not related to my pr directly. I just provided a fix for a similiar issue for subform fields in com_fields::repeatable. And the issue here is not related to TinyMCE

All extensions that use subform fields MUST add an attribute filter to their subform child fields of type editor, textarea, text (maybe others, too) since Joomla 3.9.7 like it's common for "normal" JForm fields if you want to allow HTML input. Otherwise the validation falls back to STRING, which is the common behavior for "normal" JForm fields.

e.g.
filter="safehtml"
filter="JComponentHelper::filterText"
filter="raw" (bad decision in most cases)

Reason is a SECURITY fix in Joomla 3.9.7. Subform child fields weren't validated before that fix and for example JavaScript injections were possible without any cleaning.

Before that fix filter attributes in subform child fields were completely effectless!!

Example from core for a "good" field declaration:

<field
	name="tag_list_description"
	type="textarea"
	class="inputbox"
	label="COM_TAGS_SHOW_TAG_LIST_DESCRIPTION_LABEL"
	description="COM_TAGS_TAG_LIST_DESCRIPTION_DESC"
	rows="3"
	cols="30"
	filter="safehtml"
/>
@ReLater

This comment has been minimized.

Copy link
Contributor

commented Jun 16, 2019

FYI: Added info to docs: https://docs.joomla.org/Subform_form_field_type#Beware.21

Maybe it should be propagated at other locations, too.

@HLeithner

This comment has been minimized.

Copy link
Member

commented Jun 16, 2019

Thx @ReLater for the confirmation.

@BurtNL can you please contact the author of the extension und notify him/her of this change?

@BurtNL

This comment has been minimized.

Copy link
Contributor

commented Jun 16, 2019

Thanks @ReLater and @HLeithner , I have informed the author of this module already and send him the links to this thread and the docs.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.