Enabled script/style tags support in TinyMCE 6 #3653
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
|
I think they decided to filter scripts because of the vulnerability that we were asked to address with the update :-\ |
From what I have read, this is because following the guidelines of HTML5 schema, the <style> tags should be placed within the and not in the body, whereas the <script> tag should not have type="text/javascript". However, for each line break it inserts that |
|
Now it seems okay to me. I have tested it with complex client HTML that includes <script> / <style> tags and it doesn't break. tag is no longer inserted. |
|
I'll try to test this ASAP |
|
Has anyone had the opportunity to test it with various types of content? So far, I haven't encountered any issues. |
|
@empiricompany how exactly do you test it? first example, I write the style in the textarea: then I enable the editor and I don't see anything: then I go back and the style is not there anymore: |
|
Exactly how you did it:
I tried your text, and it seems to have an issue if the style is in the first line. If you put it within the text, it works but moves it to first line (due to the HTML5 directives that TinyMCE follow). So it's still not perfect (definitely better than before), but does it work with my sample text? |
|
@fballiano please retry |
|
it seems to work fine now, although sometimes it introduces some empty lines for some reasons (who cares) (in the screenshot I didn't type the empty lines between script and style, they were introduced switching the editor on and off): it also supports but it also supports |
|
@fballiano From my tests, the empty line is inserted if the <style> tag is on the first line, but it doesn't seem to be a problem since it's not a The regex supports all attributes in the opening tag, in this part: <script([\s\S]*?)> so it also supports the src attribute, but it was already like that before. For this minor security issue, I would open another PR. For now, it works and doesn't cause any problems with the themes I'm using (which I hate 😅). I have conducted numerous tests with different options, and this seems to be the best solution. |
|
what the heck, |
yes 😅 it's a bit tricky I have removed the style from protect due to conflicts with other options that were causing the some issues. |
|
I think this PR is a priority because otherwise the new editor can cause data loss for many people. can we have more reviews? |
|
maybe it's a good idea to release a patch in this critical cases before the next release? |
|
I use the <script> tag in pages and blocks. For example, there is a slider that needs to be initialized and customized. Since I'm a "good" content manager, I don't see any reason for concern. The fact that TinyMCE cleans the code is a preventive measure, but it should not limit the use. If you want related advice I would ask for help in the Git page of TinyMCE project. I would do it myself, but I am not fully familiar with this issue, I have not tested anything so far. |
|
anyone can give the last review so we can release a patch asap? |
|
@addison74 can you review this please? |
|
I can't make it to work, if I type something like this: 
then enable tinymce and hit save, the script gets removed |
|
I hope that this new version works in all cases |
empiricompany
changed the title
fballiano
changed the title
|
@addison74 @elidrissidev @kiatng @Flyingmana can we check this cause we probably should merge it asap, together with #3658, thank you |
|
@addison74 @elidrissidev @kiatng @Flyingmana @colinmollenhour can we check this cause we probably should merge it and release it asap |
There was a problem hiding this comment.
Looks good to me, but I have not done any testing. From a security standpoint I see no problems, it is up to TinyMCE to disable script execution in the editor while still protecting the script tags and it seems the tests you have performed already cover this well.
|
thanks @colinmollenhour ! |
|
Unfortunately the end of the year found me extremely busy and I didn't have time to test simple PRs like this one. We will have to evaluate other tags so that they are not deleted. You mentioned for evaluation. Related to the editor, in the old Tiny when I switched between the editor and the form, the paragraph tag |
|
@fballiano how can we create and manage a composer patch before the next release? |
|
@empiricompany you can directly link a PR as a composer patch @addison74 we need to get this out asap so all of the rest should be addressed (in case it's needed) later |
"extra": {
"enable-patching": true,
"magento-core-package-type": "magento-source",
"magento-root-dir": ".",
"patches": {
"openmage/magento-lts": {
"OM-3653": "https://patch-diff.githubusercontent.com/raw/OpenMage/magento-lts/pull/3653.diff"
}
}
} |
|
I just want to update to 6.8.2 and then do a release |
Description (*)
Tinymce 6 editor removes the <script> and <style> tags.
Related Pull Requests
Fixed Issues (if relevant)
Manual testing scenarios (*)
<script>or<style>tag with wysywyg editor (example content below)Expected result (*)
<script>/<style>tag not removedActual result (*)
<script>/<style>tags removed from htmlExample Content to Test out https://regex101.com/r/Ub4FeY/2
Themes like Porto include <script> and <style> tags in CMS content. However, when you modify this content using TinyMCE, they lose all the included scripts and styles.
It seems quite urgent because I had to restore the content from a backup.
Same resource to deal with:
TinyMCE 6 Docs - Content Filtering
Dealing with protect
stackoverflow
Questions or comments
Contribution checklist (*)