Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cross-site Scripting (XSS) issue in media element #4394

intivesec opened this issue May 15, 2018 · 2 comments


Copy link

commented May 15, 2018

I would like to request a security bug

What is the current behavior?
Tinymce is prone to inappropriate validation of user input in process of media element creation. Below I described PoC which shows a way to execute arbitrary JavaScript code - self XSS.

Steps to reproduce: (It can be tested at: or, however this vulnerability behaves slightly different between those sites)

  1. Click Insert > Media

  2. Type "a" in source and change active tab to embed


  1. Edit generated by tinymce code by adding "onerror=alert(1) "


4. Create media element


What is the expected behavior?
After few JavaScript executions (1-5 times) media element becomes properly sanitised.
Moreover: After XSS executes, any try of editing malicious media element makes editor unresponsive for the user.


Which versions of TinyMCE, and which browser / OS are affected by this issue? Did this work in previous versions of TinyMCE?

Affected version: at least 4.7.11, 4.7.12
Tested Browsers: Chrome, Firefox
OS: macOS High Sierra


This comment has been minimized.

Copy link

commented May 21, 2018

I think you are here maybe wrong. Yes, that can be a issue, but not must and have nothing to do with the editor itself, so I think.

  1. You and only you can insert this issue only for you self in your own browser. For other users insert a event onerror="" or onclick="" is maybe not a issue.

  2. After submit tinymce is not responsible for your content! Your own script must clean the recived text from bad things. Here you can use tools like HTMLPurifier or others. In fact everyone can manipulate with browser inspector or other tools the data before submit and after cleaning with tinymce or submit data without tinymce at all to your page.


This comment has been minimized.

Copy link

commented May 22, 2018

@Daijobou: I am aware that my PoC described Self-XSS. If you are not recognising it as a vulnerability, I recommend you to watch this movie - "Self XSS we’re not so different you and I"

As long as tinymce is performing changes on user's input like input sanitisation then is responsible for action performed by sanitisation mechanisms and generated in result HTML code.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
2 participants
You can’t perform that action at this time.