New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove BBCode TinyMCE plugin from distribution #3325

Closed
avernet opened this Issue Aug 18, 2017 · 1 comment

Comments

Projects
1 participant
@avernet
Collaborator

avernet commented Aug 18, 2017

If enabled, this plugin can be used to conduct a XSS attack. However, out-of-the-box this plugin isn't enabled, and it isn't possible for end-users to enable it, so this isn't a true security risk. However, since this issue is covered by a CVE, some customers prefer to have the plugin completely removed from the distribution.

@avernet avernet added this to the 2017.2 milestone Aug 18, 2017

@avernet avernet self-assigned this Aug 18, 2017

avernet added a commit that referenced this issue Aug 18, 2017

@avernet avernet closed this Aug 18, 2017

@avernet

This comment has been minimized.

Show comment
Hide comment
@avernet

avernet Aug 18, 2017

Collaborator

I also backported the change to our 2016.3-pe and 2017.1-pe branches.

Collaborator

avernet commented Aug 18, 2017

I also backported the change to our 2016.3-pe and 2017.1-pe branches.

@ebruchez ebruchez added this to Done in Orbeon Forms 2017.2 Aug 19, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment