From 46a404f4e460f49d9832844ea4c9ee8a9ef0179b Mon Sep 17 00:00:00 2001 From: Benjamin Trenkle Date: Thu, 27 Jun 2024 22:21:40 +0200 Subject: [PATCH 1/3] Revert security fix breaking all PDFs --- plugins/editors/tinymce/src/PluginTraits/DisplayTrait.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/plugins/editors/tinymce/src/PluginTraits/DisplayTrait.php b/plugins/editors/tinymce/src/PluginTraits/DisplayTrait.php index be10b339218d4..2169cfd7074fa 100644 --- a/plugins/editors/tinymce/src/PluginTraits/DisplayTrait.php +++ b/plugins/editors/tinymce/src/PluginTraits/DisplayTrait.php @@ -460,7 +460,8 @@ public function display(string $name, string $content = '', array $attributes = 'promotion' => false, // Hardened security - 'sandbox_iframes' => true, + // @todo enable with TinyMCE 7 using https://www.tiny.cloud/docs/tinymce/latest/content-filtering/#sandbox-iframes-exclusions otherwise all embed PDFs are broken + 'sandbox_iframes' => false, 'convert_unsafe_embeds' => true, // Specify the attributes to be used when previewing a style. This prevents white text on a white background making the preview invisible. From ae1879a2247de4bd7251637c9c7c0653453da53e Mon Sep 17 00:00:00 2001 From: Benjamin Trenkle Date: Sat, 29 Jun 2024 11:45:03 +0200 Subject: [PATCH 2/3] Make the iframe sandbox a parameter in tinymce --- administrator/language/en-GB/plg_editors_tinymce.ini | 2 ++ plugins/editors/tinymce/forms/setoptions.xml | 12 ++++++++++++ .../tinymce/src/PluginTraits/DisplayTrait.php | 2 +- 3 files changed, 15 insertions(+), 1 deletion(-) diff --git a/administrator/language/en-GB/plg_editors_tinymce.ini b/administrator/language/en-GB/plg_editors_tinymce.ini index 7359a2b846992..7c789f0efd922 100644 --- a/administrator/language/en-GB/plg_editors_tinymce.ini +++ b/administrator/language/en-GB/plg_editors_tinymce.ini @@ -96,4 +96,6 @@ PLG_TINY_TOOLBAR_BUTTON_FONTSIZESELECT="Font Size Select" PLG_TINY_TOOLBAR_BUTTON_FORMATSELECT="Format Select" PLG_TINY_TOOLBAR_BUTTON_SEPARATOR="Separator" PLG_TINY_TOOLBAR_BUTTON_STYLESELECT="Style Select" +PLG_TINY_FIELD_SANDBOX_IFRAMES_LABEL="Sandbox Iframes" +PLG_TINY_FIELD_SANDBOX_IFRAMES_DESC="This is a security feature that restricts what the iframe can do by setting a sandbox attribute for each iframe. It is recommended to enable this feature for security reasons. Disable only if the iframe is not loading and you're sure that the content iframed is safe." PLG_TINY_XML_DESCRIPTION="TinyMCE is a platform independent web based JavaScript HTML WYSIWYG Editor. Using sets you can configure and customise the editor for every user group." diff --git a/plugins/editors/tinymce/forms/setoptions.xml b/plugins/editors/tinymce/forms/setoptions.xml index 8179e5772e684..14ad640f306c7 100644 --- a/plugins/editors/tinymce/forms/setoptions.xml +++ b/plugins/editors/tinymce/forms/setoptions.xml @@ -225,6 +225,18 @@ showon="use_config_textfilters:0" /> + + + + + false, + 'sandbox_iframes' => (bool) $levelParams->get('sandbox_iframes', true), 'convert_unsafe_embeds' => true, // Specify the attributes to be used when previewing a style. This prevents white text on a white background making the preview invisible. From 9000152ff311b01666332220cee82679d71081bd Mon Sep 17 00:00:00 2001 From: Martina Scholz <64533137+LadySolveig@users.noreply.github.com> Date: Mon, 1 Jul 2024 18:55:18 +0200 Subject: [PATCH 3/3] Update administrator/language/en-GB/plg_editors_tinymce.ini Co-authored-by: Brian Teeman --- administrator/language/en-GB/plg_editors_tinymce.ini | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/administrator/language/en-GB/plg_editors_tinymce.ini b/administrator/language/en-GB/plg_editors_tinymce.ini index 7c789f0efd922..6b2bf03efe1a7 100644 --- a/administrator/language/en-GB/plg_editors_tinymce.ini +++ b/administrator/language/en-GB/plg_editors_tinymce.ini @@ -97,5 +97,5 @@ PLG_TINY_TOOLBAR_BUTTON_FORMATSELECT="Format Select" PLG_TINY_TOOLBAR_BUTTON_SEPARATOR="Separator" PLG_TINY_TOOLBAR_BUTTON_STYLESELECT="Style Select" PLG_TINY_FIELD_SANDBOX_IFRAMES_LABEL="Sandbox Iframes" -PLG_TINY_FIELD_SANDBOX_IFRAMES_DESC="This is a security feature that restricts what the iframe can do by setting a sandbox attribute for each iframe. It is recommended to enable this feature for security reasons. Disable only if the iframe is not loading and you're sure that the content iframed is safe." +PLG_TINY_FIELD_SANDBOX_IFRAMES_DESC="This is a security feature that restricts what the iframe can do by setting a sandbox attribute for each iframe. It is recommended to enable this feature for security reasons. Only disable if the iframe is not loading and you're sure that the iframed content is safe." PLG_TINY_XML_DESCRIPTION="TinyMCE is a platform independent web based JavaScript HTML WYSIWYG Editor. Using sets you can configure and customise the editor for every user group."