Join GitHub today
Cross-site Scripting (XSS) issue in media element #4394
I would like to request a security bug
What is the current behavior?
What is the expected behavior?
Which versions of TinyMCE, and which browser / OS are affected by this issue? Did this work in previous versions of TinyMCE?
Affected version: at least 4.7.11, 4.7.12
I think you are here maybe wrong. Yes, that can be a issue, but not must and have nothing to do with the editor itself, so I think.
@Daijobou: I am aware that my PoC described Self-XSS. If you are not recognising it as a vulnerability, I recommend you to watch this movie - "Self XSS we’re not so different you and I" https://www.youtube.com/watch?v=l3yThCIF7e4.
As long as tinymce is performing changes on user's input like input sanitisation then is responsible for action performed by sanitisation mechanisms and generated in result HTML code.