TinyMCE 7.9.2

These are the Tiny Cloud and TinyMCE Enterprise release notes. For information on the latest community version of TinyMCE, see the TinyMCE Changelog.

Overview

TinyMCE 7.9.2 was released for TinyMCE Enterprise and Tiny Cloud on Wednesday, February 11^th, 2026. These release notes provide an overview of the changes for TinyMCE 7.9.2, including:

Additions
Deprecated
Security fixes

Additions

TinyMCE 7.9.2 also includes the following addition:

Introduced `allow_html_in_comments` option

Introduced allow_html_in_comments option (boolean, default: true) to control handling of HTML-like syntax in comment nodes. This option will default to false in TinyMCE 8.x.

For information on the allow_html_in_comments option, see: allow_html_in_comments.

Deprecated

TinyMCE 7.9.2 includes the following deprecation:

The default value of `allow_html_in_comments` will change in TinyMCE 8.x

The default value of allow_html_in_comments will change from true to false in TinyMCE 8.x.

Security fixes

TinyMCE 7.9.2 includes fixes for the following security issues:

Enhanced content sanitization

Updated dependencies and parsing logic for enhanced content sanitization. HTML-like content in comments and certain legacy patterns are now sanitized more strictly when xss_sanitization is enabled (default). The introduced allow_html_in_comments option provides control over comment node sanitization behavior.

For information on content sanitization, see: Sanitizing HTML input to protect against XSS attacks.

Migration: Legacy content using HTML comment wrappers in script or style tags should be updated to use modern syntax without comment wrappers. These comment patterns were primarily used for compatibility with browsers from the 1990s and are not required by modern browsers.

Workaround: To temporarily preserve existing content during migration, set xss_sanitization: false, though this is not recommended for production environments due to security implications.