Impact
A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s content insertion code. This allowed iframe elements containing malicious code to execute when inserted into the editor. These iframe elements are restricted in their permissions by same-origin browser protections, but could still trigger operations such as downloading of malicious assets.
Fix
TinyMCE 6.8.1 introduced a new sandbox_iframes boolean option which adds the sandbox="" attribute to every iframe element by default when enabled. This will prevent cross-origin, and in special cases same-origin, XSS by embedded resources in iframe elements. From TinyMCE 7.0.0 onwards the default value of this option is true.
In TinyMCE 7.0.0 a new sandbox_iframes_exclusions option was also added, allowing a list of domains to be specified that should be excluded from having the sandbox="" attribute applied when the sandbox_iframes option is enabled. By default, this option is set to an array of domains that are provided in embed code by popular websites. To sandbox iframe elements from every domain, set this option to [].
Workarounds
The HTTP Content-Security-Policy (CSP) frame-src or object-src can be configured to restrict or block the loading of unauthorized URLS. Refer to the TinyMCE Content Security Policy Guide.
References
Impact
A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s content insertion code. This allowed
iframeelements containing malicious code to execute when inserted into the editor. Theseiframeelements are restricted in their permissions by same-origin browser protections, but could still trigger operations such as downloading of malicious assets.Fix
TinyMCE 6.8.1 introduced a new
sandbox_iframesboolean option which adds thesandbox=""attribute to everyiframeelement by default when enabled. This will prevent cross-origin, and in special cases same-origin, XSS by embedded resources iniframeelements. From TinyMCE 7.0.0 onwards the default value of this option istrue.In TinyMCE 7.0.0 a new
sandbox_iframes_exclusionsoption was also added, allowing a list of domains to be specified that should be excluded from having thesandbox=""attribute applied when thesandbox_iframesoption is enabled. By default, this option is set to an array of domains that are provided in embed code by popular websites. To sandboxiframeelements from every domain, set this option to[].Workarounds
The HTTP Content-Security-Policy (CSP)
frame-srcorobject-srccan be configured to restrict or block the loading of unauthorized URLS. Refer to the TinyMCE Content Security Policy Guide.References