From b77a91f01d45b8e1e09e297c45b9171eaffc511c Mon Sep 17 00:00:00 2001
From: Jacob Overgaard <752371+iOvergaard@users.noreply.github.com>
Date: Tue, 11 Jun 2024 12:41:00 +0200
Subject: [PATCH] fix: Tinymce allows potentially unsafe embeds

This sets `convert_unsafe_embeds` to true to act as a workaround for CVE-2024-29881 seeing that we cannot upgrade to tinymce 7 at the moment. The only difference from TinyMCE 6 to 7 in this regard is that this option is set to true and is the official workaround.

Fixes https://github.com/umbraco/Umbraco.CMS.Backoffice/security/dependabot/44
---
 .../tiny-mce/components/input-tiny-mce/input-tiny-mce.element.ts | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/Umbraco.Web.UI.Client/src/packages/tiny-mce/components/input-tiny-mce/input-tiny-mce.element.ts b/src/Umbraco.Web.UI.Client/src/packages/tiny-mce/components/input-tiny-mce/input-tiny-mce.element.ts
index 337f244cca..e5f3c03f14 100644
--- a/src/Umbraco.Web.UI.Client/src/packages/tiny-mce/components/input-tiny-mce/input-tiny-mce.element.ts
+++ b/src/Umbraco.Web.UI.Client/src/packages/tiny-mce/components/input-tiny-mce/input-tiny-mce.element.ts
@@ -243,6 +243,7 @@ export class UmbInputTinyMceElement extends UUIFormControlMixin(UmbLitElement, '
 			paste_data_images: false,
 			language: this.#getLanguage(),
 			promotion: false,
+			convert_unsafe_embeds: true, // [JOV] Workaround for CVE-2024-29881
 
 			// Extend with configuration options
 			...configurationOptions,