New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Froala feature flag - disabled by default #12416
Merged
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
found during testing the legacy builder. Plus: - jquery.js was defined twice - using shorter controller syntax
On loading the legacy builder there is alert that the Froala assets must be enabled first
escopecz
added
bug
Issues or PR's relating to bugs
bc-break
A BC break PR for major release milestones only
builder-legacy
Anything related to the legacy email or landing page builders
labels
May 31, 2023
escopecz
force-pushed
the
froala-feature-flag
branch
from
May 31, 2023 14:25
06c8a7a
to
935a7c7
Compare
Codecov Report
@@ Coverage Diff @@
## 5.x #12416 +/- ##
============================================
- Coverage 56.32% 56.30% -0.03%
- Complexity 35185 35187 +2
============================================
Files 2210 2210
Lines 105570 105572 +2
============================================
- Hits 59463 59440 -23
- Misses 46107 46132 +25
|
mabumusa1
approved these changes
Jun 1, 2023
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good to go, since this Froala has changed their license model, there is nothing much to do except using it.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
bc-break
A BC break PR for major release milestones only
bug
Issues or PR's relating to bugs
builder-legacy
Anything related to the legacy email or landing page builders
ready-to-test
PR's that are ready to test
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description:
The Froala Javascript library Mautic use has several security vulnerabilities reported:
https://security.snyk.io/package/npm/froala-editor/2.4.2
It's used in the legacy builder but it seems that many community members are still using it:
https://forum.mautic.org/t/is-anyone-still-using-the-legacy-email-and-page-builder/27819
So the solution in between that will disable this vulnerable library for Mautic 5 but allows users to enable it if they need it and are fine with the security risks is to add a new feature flag (= configuration option). This feature flag is OFF by default so all Mautic administrators must enable it and agree with the downsides.
If the GrapesJS builder plugin is disabled and a Mautic user tries to open the legacy builder, they get this warning with instructions about what to do:
Apart from making Mautic 5 a bit safer, it will also help with performance.
With Froala enabled:
With Froala disabled:
This feature flag will save 1.6 MB off of the Mautic administration page load. Saved 27% of loaded size and the loading is 11% faster than before.
The savings will be greater when we remove the Froala library completely. The CSS/LESS files are baked into the library.css file and cannot be easily extracted. So those are still loading all the time.
Steps to test this PR: