Browse Source

DOC-2545: TinyMCE 7.4.1 Documentation Release. (#3470)

pull/3472/head
Karl Kemister-Sheppard 10 months ago
committed by GitHub
parent
commit
1d5345cd0f
No known key found for this signature in database GPG Key ID: B5690EEEBB952194
  1. 3
      modules/ROOT/nav.adoc
  2. 42
      modules/ROOT/pages/7.4.1-release-notes.adoc
  3. 7
      modules/ROOT/pages/changelog.adoc
  4. 2
      modules/ROOT/pages/filter-content.adoc
  5. 6
      modules/ROOT/pages/release-notes.adoc
  6. 2
      modules/ROOT/partials/misc/supported-versions.adoc

3
modules/ROOT/nav.adoc

@ -410,6 +410,9 @@
** xref:tinymce-and-cors.adoc[Cross-Origin Resource Sharing (CORS)]
* Release information
** xref:release-notes.adoc[Release notes for {productname} {productmajorversion}]
*** {productname} 7.4.1
**** xref:7.4.1-release-notes.adoc#overview[Overview]
**** xref:7.4.1-release-notes.adoc#security-fix[Security fix]
*** {productname} 7.4
**** xref:7.4-release-notes.adoc#overview[Overview]
**** xref:7.4-release-notes.adoc#accompanying-premium-plugin-changes[Accompanying Premium Plugin changes]

42
modules/ROOT/pages/7.4.1-release-notes.adoc

@ -0,0 +1,42 @@
= {productname} {release-version}
:release-version: 7.4.1
:description: Release notes for TinyMCE 7.4.1
:keywords: releasenotes, new, changes, bugfixes
:page-toclevels: 1
include::partial$misc/admon-releasenotes-for-stable.adoc[]
[[overview]]
== Overview
{productname} {release-version} was released for {enterpriseversion} and {cloudname} on Wednesday, October 10^th^, 2024.
These release notes provide an overview of the changes for {productname} {release-version}, including:
* xref:security-fix[Security fix]
[[security-fix]]
== Security fix
{productname} 7.4.1 includes one fix for the following security issue:
=== Invalid HTML elements within `SVG` elements were not removed
// TINY-11332
A https://owasp.org/www-community/attacks/xss/[cross-site scripting] (XSS) vulnerability was discovered in link:https://www.npmjs.com/package/dompurify[DOMPurify] that affects versions of {productname} prior to {release-version} release. The issue was a result of DOMPurify allowing some bypassing which lead to improper sanitization of invalid HTML elements within XML contexts, exploiting parsing inconsistencies between XML and HTML.
=== Affected Versions
DOMPurify versions prior to `+<3.1.7+`
=== Vulnerabilities
* **Invalid HTML Elements in SVG** (link:https://www.cve.org/CVERecord?id=CVE-2024-45801[CVE-2024-45801]): Allowed invalid HTML elements within `SVG` to bypass sanitization.
* **XML Processing Instruction Bypass**: Exploited differences in XML and HTML parsers regarding Processing Instructions, where XML parsed `+<?xml-stylesheet ><h1>Hello</h1> ?>+` as a single node, allowing `h1` to bypass sanitization.
* **CDATA Section Bypass**: Leveraged differences in CDATA section handling between XML and HTML namespaces, with CDATA treated as bogus comments in HTML, bypassing end token rules for sanitization.
GHSA: link:https://github.com/cure53/DOMPurify/security/advisories/GHSA-mmhx-hmjr-r674[GitHub Advisory]
CVE: link:https://www.cve.org/CVERecord?id=CVE-2024-45801[CVE-2024-45801]

7
modules/ROOT/pages/changelog.adoc

@ -4,6 +4,13 @@
NOTE: This is the {productname} Community version changelog. For information about the latest {cloudname} or {enterpriseversion} Release, see: xref:release-notes.adoc[{productname} Release Notes].
== 7.4.1 - 2024-10-10
=== Fixed
* Invalid HTML elements within SVG elements were not removed.
// #TINY-11332
== 7.4.0 - 2024-10-09
=== Added

2
modules/ROOT/pages/filter-content.adoc

@ -16,7 +16,7 @@ Check out the xref:user-formatting-options.adoc#style_formats[custom formats exa
=== Style merging
Similar elements and styles are merged by default to reduce the output HTML size. For example, instead of assigning one `+span+` element for font size and another `+span+` element for font face, {productname} merges the two styles into a sing `+span+` element.
Similar elements and styles are merged by default to reduce the output HTML size. For example, instead of assigning one `+span+` element for font size and another `+span+` element for font face, {productname} merges the two styles into a single `+span+` element.
=== Built-in formats

6
modules/ROOT/pages/release-notes.adoc

@ -8,6 +8,12 @@ This section lists the releases for {productname} 7 and the changes made in each
[cols="1,1"]
|===
a|
[.lead]
xref:7.4.1-release-notes.adoc#overview[{productname} 7.4.1]
Release notes for {productname} 7.4.1
a|
[.lead]
xref:7.4-release-notes.adoc#overview[{productname} 7.4]

2
modules/ROOT/partials/misc/supported-versions.adoc

@ -6,6 +6,8 @@ Supported versions of {productname}:
[cols="^,^,^",options="header"]
|===
|Version |Release Date |End of Premium Support
|7.4 |2024-10-09 |2026-04-09
|7.3 |2024-08-07 |2026-02-07
|7.2 |2024-06-19 |2025-12-19
|7.1 |2024-05-08 |2025-11-08
|7.0 |2024-03-20 |2025-09-20

Loading…
Cancel
Save