build(deps): [security] bump tinymce from 4.5.7 to 5.7.1

[dependabot-preview]

Bumps tinymce from 4.5.7 to 5.7.1. This update includes security fixes.

Vulnerabilities fixed

Sourced from The GitHub Security Advisory Database.

Cross-site scripting vulnerability in TinyMCE

Impact

A cross-site scripting (XSS) vulnerability was discovered in the URL sanitization logic of the core parser for form elements. The vulnerability allowed arbitrary JavaScript execution when inserting a specially crafted piece of content into the editor using the clipboard or APIs, and then submitting the form. However, as TinyMCE does not allow forms to be submitted while editing, the vulnerability could only be triggered when the content was previewed or rendered outside of the editor. This impacts all users who are using TinyMCE 5.7.0 or lower.

Patches

This vulnerability has been patched in TinyMCE 5.7.1 by improved URL sanitization logic.

Workarounds

To work around this vulnerability, either:

• Upgrade to TinyMCE 5.7.1 or higher
• Manually sanitize form URL attributes using a TinyMCE node filter.
• Disable form elements in your content using the invalid_elements setting.

Example: Sanitizing using a node filter

editor.parser.addNodeFilter('form', function(nodes) {
  nodes.forEach(function(node) {
    if (node.attributes) {
      node.attributes.forEach(function(attr) {
        var name = attr.name;
        var value = attr.value;
</tr></table> 

... (truncated)

Affected versions: < 5.7.1

Sourced from The GitHub Security Advisory Database.

Cross-site scripting in TinyMCE TinyMCE before 4.9.7 and 5.x before 5.1.4 allows XSS in the core parser, the paste plugin, and the visualchars plugin by using the clipboard or APIs to insert content into the editor.

Affected versions: < 4.9.7

Sourced from The GitHub Security Advisory Database.

Regex denial of service vulnerability in codesample plugin

Impact

A regex denial of service (ReDoS) vulnerability was discovered in a dependency of the codesample plugin. The vulnerability allowed poorly formed ruby code samples to lock up the browser while performing syntax highlighting. This impacts users of the codesample plugin using TinyMCE 5.5.1 or lower.

Patches

This vulnerability has been patched in TinyMCE 5.6.0 by upgrading to a version of the dependency without the vulnerability.

Workarounds

To work around this vulnerability, either:

• Upgrade to TinyMCE 5.6.0 or higher
• Disable the codesample plugin
• Disable ruby code samples using the codesample_languages setting
• Override the PrismJS syntax highlighter to version 1.21.0 or higher using the codesample_global_prismjs setting

Acknowledgements

Tiny Technologies would like to thank Erik Krogh Kristensen at GitHub for discovering this vulnerability.

References

https://www.tiny.cloud/docs/release-notes/release-notes56/#securityfixes

For more information

... (truncated)

Affected versions: < 5.6.0

Sourced from The GitHub Security Advisory Database.

Cross-site scripting vulnerability in TinyMCE

Impact

A cross-site scripting (XSS) vulnerability was discovered in the core parser. The vulnerability allowed arbitrary JavaScript execution when inserting a specially crafted piece of content into the editor via the clipboard or APIs. This impacts all users who are using TinyMCE 4.9.10 or lower and TinyMCE 5.3.2 or lower.

Patches

This vulnerability has been patched in TinyMCE 4.9.11 and 5.4.0 by improved HTML parsing and sanitization logic.

Workarounds

The workarounds available are:

• upgrade to either TinyMCE 4.9.11 or TinyMCE 5.4.0 or
• enable the media plugin, which overrides the default parsing behaviour for iframes or
• add the following workaround to update the parsing schema rules for iframes:

Example: Change the default schema for iframes

setup: function(editor) {
  editor.on('PreInit', function() {
    editor.schema.getSpecialElements()['iframe'] = /]*>/gi;
  });
</tr></table> 

... (truncated)

Affected versions: < 4.9.11

Sourced from The GitHub Security Advisory Database.

XSS in TinyMCE A cross-site scripting (XSS) vulnerability was discovered in the core parser and media plugin. The vulnerability allowed arbitrary JavaScript execution when inserting a specially crafted piece of content into the editor via the clipboard or APIs.

This vulnerability has been patched in TinyMCE 4.9.10 and 5.2.2 by improved HTML parsing and sanitization logic.

Workarounds

Disable the media plugin and manually sanitize CDATA content

References

https://www.tiny.cloud/docs/release-notes/release-notes522/#securityfixes

Affected versions: < 4.9.10

Sourced from The GitHub Security Advisory Database.

High severity vulnerability that affects tinymce

Impact

A cross-site scripting (XSS) vulnerability was discovered in: the core parser, paste and visualchars plugins. The vulnerability allowed arbitrary JavaScript execution when inserting a specially crafted piece of content into the editor via the clipboard or APIs. This impacts all users who are using TinyMCE 4.9.6 or lower and TinyMCE 5.1.3 or lower.

Patches

This vulnerability has been patched in TinyMCE 4.9.7 and 5.1.4 by improved parser logic and HTML sanitization.

Workarounds

The workarounds available are:

• disable the impacted plugins
• manually sanitize the content using the BeforeSetContent event (see below)
• upgrade to either TinyMCE 4.9.7 or TinyMCE 5.1.4

Example: Manually sanitize content

editor.on('BeforeSetContent', function(e) {
  var sanitizedContent = ...; // Manually sanitize content here
  e.content = sanitizedContent;
});

... (truncated)

Affected versions: < 4.9.7

Changelog

Sourced from tinymce's changelog.

5.7.1 - 2021-03-17

Fixed

• Fixed the help dialog incorrectly linking to the changelog of TinyMCE 4 instead of TinyMCE 5 #TINY-7031
• Fixed a bug where error messages were displayed incorrectly in the image dialog #TINY-7099
• Fixed an issue where URLs were not correctly filtered in some cases #TINY-7025
• Fixed a bug where context menu items with names that contained uppercase characters were not displayed #TINY-7072
• Fixed context menu items lacking support for the disabled and shortcut properties #TINY-7073
• Fixed a regression where the width and height were incorrectly set when embedding content using the media dialog #TINY-7074

5.7.0 - 2021-02-10

Added

• Added IPv6 address support to the URI API. Patch contributed by dev7355608 #GH-4409
• Added new structure and style properties to the TableModified event to indicate what kinds of modifications were made #TINY-6643
• Added video and audio live embed support for the media plugin #TINY-6229
• Added the ability to resize video and iframe media elements #TINY-6229
• Added a new font_css setting for adding fonts to both the editor and the parent document #TINY-6199
• Added a new ImageUploader API to simplify uploading image data to the configured images_upload_url or images_upload_handler #TINY-4601
• Added an Oxide variable to define the container background color in fullscreen mode #TINY-6903
• Added Oxide variables for setting the toolbar background colors for inline and sticky toolbars #TINY-6009
• Added a new AfterProgressState event that is fired after editor.setProgressState calls complete #TINY-6686
• Added support for table_column_resizing when inserting or deleting columns #TINY-6711

Changed

• Changed table and table column copy behavior to retain an appropriate width when pasted #TINY-6664
• Changed the lists plugin to apply list styles to all text blocks within a selection #TINY-3755
• Changed the advlist plugin to log a console error message when the list plugin isn't enabled #TINY-6585
• Changed the z-index of the setProgressState(true) throbber so it does not hide notifications #TINY-6686
• Changed the type signature for editor.selection.getRng() incorrectly returning null #TINY-6843
• Changed some SaxParser regular expressions to improve performance #TINY-6823
• Changed editor.setProgressState(true) to close any open popups #TINY-6686

Fixed

• Fixed codesample highlighting performance issues for some languages #TINY-6996
• Fixed an issue where cell widths were lost when merging table cells #TINY-6901
• Fixed col elements incorrectly transformed to th elements when converting columns to header columns #TINY-6715
• Fixed a number of table operations not working when selecting 2 table cells on Mozilla Firefox #TINY-3897
• Fixed a memory leak by backporting an upstream Sizzle fix #TINY-6859
• Fixed table width style was removed when copying #TINY-6664
• Fixed focus lost while typing in the charmap or emoticons dialogs when the editor is rendered in a shadow root #TINY-6904
• Fixed corruption of base64 URLs used in style attributes when parsing HTML #TINY-6828
• Fixed the order of CSS precedence of content_style and content_css in the preview and template plugins. content_style now has precedence #TINY-6529
• Fixed an issue where the image dialog tried to calculate image dimensions for an empty image URL #TINY-6611
• Fixed an issue where scope attributes on table cells would not change as expected when merging or unmerging cells #TINY-6486
• Fixed the plugin documentation links in the help plugin #DOC-703
• Fixed events bound using DOMUtils not returning the correct result for isDefaultPrevented in some cases #TINY-6834
• Fixed the "Dropped file type is not supported" notification incorrectly showing when using an inline editor #TINY-6834
• Fixed an issue with external styles bleeding into TinyMCE #TINY-6735
• Fixed an issue where parsing malformed comments could cause an infinite loop #TINY-6864

... (truncated)

Commits

• 8273fb3 Added version 5.7.1 release.
• 729e1f7 Added version 5.7.0 release.
• 310051d Added version 5.6.2 release.
• f78490b Added version 5.6.1 release.
• 933ded7 Added version 5.6.0 release.
• a436d25 Added version 5.5.1 release.
• a2c91ba Added version 5.5.0 release.
• 71197b6 Added version 5.4.2 release.
• 940fdcf Added version 5.4.1 release.
• aa17e50 Added version 5.4.0 release.
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Note: This repo was added to Dependabot recently, so you'll receive a maximum of 5 PRs for your first few update runs. Once an update run creates fewer than 5 PRs we'll remove that limit.

You can always request more updates by clicking Bump now in your Dependabot dashboard.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)