Blueprint by Tiny
Return to Tiny.cloud
Return to Tiny.cloudTry TinyMCE for Free
Search by
Laptop keyboard viewed from the side with screen half closed.

XSS security issue - Tiny’s commitment

Dylan Just

August 12th, 2020

Written by

Dylan Just
Dylan Just

Category

News & Updates

Tagged

Tiny has released a security update for its open source HTML editor based on a cross-site scripting (XSS) vulnerability discovered by Bishop Fox Labs.

What is the security issue? 

TinyMCE 4 prior to 4.9.11 and TinyMCE 5 prior to 5.4.1 are affected by a vulnerability in their content sanitization logic, which allows an attacker to bypass these built-in cross-site scripting (XSS) protections and execute arbitrary JavaScript code.

This vulnerability can be mitigated with holistic XSS protections from the application, such as a strict content security policy (CSP), or by updating TinyMCE to version 4.9.11 or 5.4.1.

Applying security updates

Our users consume TinyMCE through several channels, so the patching process is different for each.

Open Source users typically consume TinyMCE via NPM. These users should use their package manager (typically NPM or Yarn) to update the package.

Our commercial users consume TinyMCE through our cloud or self-hosted offerings.

Cloud users add TinyMCE to their web pages using a script tag with a URL like this one below, filling in MY_API_KEY with their API Key shown in My Account.

https://cdn.tiny.cloud/1/MY_API_KEY/tinymce/5/tinymce.min.js

Note the "5" in the URL – this denotes the major version of TinyMCE. Any users using this URL will automatically receive the update. Some users may be using "4" or "stable" – these users will receive the security fixes, but we strongly recommend that they switch to "5" to get the latest updates.

Self-hosted customers can download updates to TinyMCE through My Account.

TinyMCE & security

TinyMCE is a web-based rich text editor. It loads HTML content, provides a powerful editing experience, then allows the content to be retrieved, for example, to publish on a web page. It is a component that's integrated into many web-based user interfaces – typically Content Management Systems (CMS) and Learning Management Systems (LMS).

When HTML content is loaded into TinyMCE – either by JavaScript calls, pasting content, or other user input – TinyMCE must not execute any scripts contained in this content. The vulnerability listed is of this form – TinyMCE is not correctly sanitizing the content before including it in the browser DOM, and so the embedded script is executed.

General recommendations

As a JavaScript component, TinyMCE is just one part of the content lifecycle. When a web app extracts content from TinyMCE, we strongly recommend that the content is sanitized server-side before saving or publishing. This is no different to any other input coming from a web page – someone could put a script tag in an input or textarea tag, but it's up to the app itself to make sure the content is safe before publishing or rendering. If the integrating app does this, then this whole class of vulnerability is mitigated.

We also recommend the use of a Content Security Policy to further mitigate XSS vectors.

Tiny's security response process

Security is very important to us and our users, so security issues are given the highest priority of any type of issue at Tiny.

Anyone discovering a vulnerability may report it by emailing infosec@tiny.cloud. Tiny customers may also log issues through the Tiny support system.

When security issues are reported, our InfoSec team assesses the severity and impact of the issue and decides on a course of action. If the issue requires a change to a product, we consult with the relevant engineering team, and the issue is given top priority. The issue will be addressed in all supported versions, first in any open source versions, then immediately in our commercial versions.

Once the issue is fixed in the commercial versions, we issue security alerts. GitHub security reports are great for this, as GitHub is such a well-known system, and it integrates well into many company's patching workflow.

Our InfoSec team also holds a quarterly review to discuss all issues raised in the quarter, and to make process improvements going forward.

Stay up to date with what's happening at Tiny by following us on Twitter, and don't hesitate to contact us with any questions or feedback at all.

Security
Dylan Just
byDylan Just

Dylan Just leads engineering on our Digital Experience team and is a member of the Tiny leadership group. He keeps our websites, ecommerce store and cloud systems up and running. He also built Tiny Sheets.

Related Articles

  • Silhouettes of at least six people at sunset, Tiny logo at the center.
    News & Updates

    The TinyMCE Community is moving

    by Ben Long in News & Updates
Subscribe for the latest insights served straight to your inbox. Delivered weekly.

Deploy TinyMCE in just 6 lines of code

Built to scale. Developed in open source. Designed to innovate.

Begin with your FREE API Key
Tiny Editor