yv01p/Umbraco-CMS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: Tinymce allows potentially unsafe embeds

Browse Source 
This sets `convert_unsafe_embeds` to true to act as a workaround for CVE-2024-29881 seeing that we cannot upgrade to tinymce 7 at the moment. The only difference from TinyMCE 6 to 7 in this regard is that this option is set to true and is the official workaround.

Fixes https://github.com/umbraco/Umbraco.CMS.Backoffice/security/dependabot/44
This commit is contained in:
Jacob Overgaard
2024-06-11 12:41:00 +02:00
parent 53cb9933d6
commit b77a91f01d
1 changed files with 1 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
src/Umbraco.Web.UI.Client/src/packages/tiny-mce/components/input-tiny-mce/input-tiny-mce.element.ts
View File

@@ -243,6 +243,7 @@ export class UmbInputTinyMceElement extends UUIFormControlMixin(UmbLitElement, '
paste_data_images: false,
language: this.#getLanguage(),
promotion: false,
convert_unsafe_embeds: true, // [JOV] Workaround for CVE-2024-29881
// Extend with configuration options
...configurationOptions,