From 49be844d5a4a9ebc2beef33265b654df7bf8bcbc Mon Sep 17 00:00:00 2001 From: Brian Teeman Date: Thu, 23 Nov 2023 09:08:43 +0000 Subject: [PATCH] [4.4] TinyMCE 5.10.9 (#42359) This is a security release ## Version 5.10.9 - November 15, 2023 ### Changed - Zero width no-break space (U+FEFF) characters are removed from content passed to setContent, insertContent, and resetContent APIs. - Zero width no-break space (U+FEFF) characters in initial content are not loaded into the editor upon initialization. ### Fixed -Specific HTML content containing unescaped text nodes caused mXSS when using undo/redo. -Specific HTML content containing unescaped text nodes caused mXSS when using the getContent and setContent APIs with the format: 'raw' option, which also affected the resetContent API and the draft restoration feature of the Autosave plugin --- package-lock.json | 6 +++--- plugins/editors/tinymce/tinymce.xml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/package-lock.json b/package-lock.json index a25ec4e46cc..a2ac2cfaa1e 100644 --- a/package-lock.json +++ b/package-lock.json @@ -9404,9 +9404,9 @@ "integrity": "sha512-RX35iq/D+lrsqhcPWIazM9ELkjOe30MSeoBHQHSsRwd1YuhJO5ui1K1/R0r7N3mFvbLBs33idw+eR6j+w6i/DA==" }, "node_modules/tinymce": { - "version": "5.10.8", - "resolved": "https://registry.npmjs.org/tinymce/-/tinymce-5.10.8.tgz", - "integrity": "sha512-iyoo3VGMAJhLMDdblAefKvYgBRk9kQi58GTwAmoieqsyggGsKZWlQl/YY6nTILFHUCA1FhYu0HdmM5YYjs17UQ==" + "version": "5.10.9", + "resolved": "https://registry.npmjs.org/tinymce/-/tinymce-5.10.9.tgz", + "integrity": "sha512-5bkrors87X9LhYX2xq8GgPHrIgJYHl87YNs+kBcjQ5I3CiUgzo/vFcGvT3MZQ9QHsEeYMhYO6a5CLGGffR8hMg==" }, "node_modules/tippy.js": { "version": "6.3.7", diff --git a/plugins/editors/tinymce/tinymce.xml b/plugins/editors/tinymce/tinymce.xml index f2521d62a7e..2a8b64a4ba3 100644 --- a/plugins/editors/tinymce/tinymce.xml +++ b/plugins/editors/tinymce/tinymce.xml @@ -1,7 +1,7 @@ plg_editors_tinymce - 5.10.8 + 5.10.9 2005-08 Tiny Technologies, Inc N/A