Self XSS in TinyMce WYSIWYG Editor

[nani1337]

Do you want to request a feature or report a bug?
Security Bug
What is the current behavior?
we have tested on tinymce 4.9.3 and tinymce latest version which is available in "https://www.tiny.cloud/docs/demo/full-featured/"

If the current behavior is a bug, please provide the steps to reproduce and if possible a minimal demo of the problem via [https://www.tiny.cloud/docs/demo/full-featured/) or similar.

What is the expected behavior?

steps to reproduce :

1. browse the "https://www.tiny.cloud/docs/demo/full-featured/" or if you have 4.9.3 or lastest version available.
2. Open it in Internet explorer 11
3. Please goto -->view -->sour code-->
   please provide the following payload ""
   Here "form action tag with java script" is allowing .
4. Click on save button then view-->preview -->click on submit button we will get an xss pop

POC screens:

Which versions of TinyMCE, and which browser / OS are affected by this issue? Did this work in previous versions of TinyMCE?

Tested on:

Browser : IE 11
OS : windows 11
Tinmce versions tested on : 4.9.3 and latest version which avaible on tiny.cloud

thanks
srikanth

[TheSpyder]

TinyMCE only provides filtering against some script vulnerabilities, we don't guarantee full XSS protection:
https://www.tiny.cloud/docs/advanced/security/#qistinymceprotectedagainstxssvulnerabilities

We recommend using a server-side filter to properly guard against XSS.