DOC-2302: add `convert_unsafe_embeds` breaking changes to 7.0 release notes. (#3111)

* DOC-2302: add convert_unsafe_embeds breaking change to 7.0 release notes. * DOC-2302: fixing xref link to security.adoc page. * Update modules/ROOT/pages/7.0-release-notes.adoc Co-authored-by: Mitchell Crompton <mitchell.crompton@tiny.cloud> * Update modules/ROOT/pages/7.0-release-notes.adoc Co-authored-by: Mitchell Crompton <mitchell.crompton@tiny.cloud> * Update modules/ROOT/pages/7.0-release-notes.adoc Co-authored-by: Mitchell Crompton <mitchell.crompton@tiny.cloud> * DOC-2302: created new partials, fixed links and inserted new includes. * Update modules/ROOT/pages/security.adoc Co-authored-by: Mitchell Crompton <mitchell.crompton@tiny.cloud> * DOC-2302: rename partial file names, and update includes. * Update modules/ROOT/pages/7.0-release-notes.adoc Co-authored-by: Mitchell Crompton <mitchell.crompton@tiny.cloud> * Update modules/ROOT/pages/7.0-release-notes.adoc Co-authored-by: Mitchell Crompton <mitchell.crompton@tiny.cloud> --------- Co-authored-by: Mitchell Crompton <mitchell.crompton@tiny.cloud>
1 year ago · 35e3279d82
6 changed files with 57 additions and 44 deletions
--- a/modules/ROOT/pages/7.0-release-notes.adoc
+++ b/modules/ROOT/pages/7.0-release-notes.adoc
@ -235,6 +235,14 @@ Any editors using this `highlight_on_focus: true` option, can remove this option

 // CCFR here.

+=== `convert_unsafe_embeds` editor option is now defaulted to `true`.
+
+In {productname} 6.8.1, xref:content-filtering.adoc#convert-unsafe-embeds[convert_unsafe_embeds] editor option was introduced to allow `+object+` and `+embed+` elements to be converted by default to the correct element, respective of the MIME type, automatically when inserted into the editor.
+
+In {productname} 7.0, the default value for `+convert_unsafe_embeds+` will change from `false` to `true`, meaning that all `+object+` and `+embed+` tags will automatically be converted to different elements when inserted to the editor. If this behaviour is undesirable, set `+convert_unsafe_embeds+` to `+false+` in your editor configuration.
+
+For further details on the `+convert_unsafe_embeds+` option, see the xref:content-filtering.adoc#convert-unsafe-embeds[content filtering options], or refer to the xref:security.adoc#convert-unsafe-embeds[security guide], or the link:https://www.tiny.cloud/docs/tinymce/6/6.8.1-release-notes/#new-convert_unsafe_embeds-option-that-controls-whether-object-and-embed-elements-will-be-converted-to-more-restrictive-alternatives-namely-img-for-image-mime-types-video-for-video-mime-types-audio-audio-mime-types-or-iframe-for-other-or-unspecified-mime-types[{productname} 6.8.1 release notes].
+

 [[bug-fixes]]
 == Bug fixes
--- a/modules/ROOT/pages/content-filtering.adoc
+++ b/modules/ROOT/pages/content-filtering.adoc
@ -15,6 +15,8 @@ include::partial$configuration/convert_fonts_to_spans.adoc[]

 include::partial$configuration/custom_elements.adoc[]

+include::partial$configuration/convert_unsafe_embeds.adoc[]
+
 include::partial$configuration/doctype.adoc[]

 include::partial$configuration/element_format.adoc[]
@ -43,6 +45,8 @@ include::partial$configuration/pad_empty_with_br.adoc[]

 include::partial$configuration/protect.adoc[]

+include::partial$configuration/sandbox_iframes.adoc[]
+
 include::partial$configuration/schema.adoc[]

 include::partial$configuration/valid_children.adoc[]
--- a/modules/ROOT/pages/security.adoc
+++ b/modules/ROOT/pages/security.adoc
@ -92,7 +92,9 @@ include::partial$security/sanitizing-html-input-and-protecting-against-xss-attac
 [[securing-embedded-external-resources]]
 === Securing embedded external resources

-include::partial$security/securing-embedded-external-resources.adoc[]
+include::partial$configuration/sandbox_iframes.adoc[]
+
+include::partial$configuration/convert_unsafe_embeds.adoc[]

 [[insecure-transmission-and-storage-of-data]]
 === Insecure Transmission and Storage of data
--- a/modules/ROOT/partials/configuration/convert_unsafe_embeds.adoc
+++ b/modules/ROOT/partials/configuration/convert_unsafe_embeds.adoc
@ -0,0 +1,22 @@
+[[convert-unsafe-embeds]]
+== `convert_unsafe_embeds` option
+
+This option controls whether an `<object>` and `<embed>` elements will be converted to more restrictive alternatives, namely `<img>` for image MIME types, `<video>` for video MIME types, `<audio>` for audio MIME types, or `<iframe>` for other or unspecified MIME types. 
+
+When converted to `<img>`, `<video>`, or `<audio>`, this prevents the embedded resource from performing potentially malicious actions including scripting, file downloads, browser popups, passing the same-origin policy, among others. Enable the `sandbox_iframes` option in addition to ensure <iframe> conversions are also neutralised.
+
+*Type:* `+Boolean+`
+
+*Possible values:* `true`, `false`
+
+*Default value:* `true`
+
+=== Example: using `convert_unsafe_embeds` option
+
+[source,js]
+----
+tinymce.init({
+  selector: 'textarea',  // change this value according to your html
+  convert_unsafe_embeds: false
+});
+----
--- a/modules/ROOT/partials/configuration/sandbox_iframes.adoc
+++ b/modules/ROOT/partials/configuration/sandbox_iframes.adoc
@ -0,0 +1,20 @@
+[[sandbox-iframes-option]]
+== `sandbox_iframes` option
+
+This option controls whether the editor will add a `sandbox=""` attribute to all `<iframe>` elements. This will restrict the iframe’s embedded resource from performing potentially malicious actions including scripting, file downloads, browser popups, passing the same-origin policy, among others. Reference: https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#sandbox[MDN].
+
+*Type:* `+Boolean+`
+
+*Possible values:* `true`, `false`
+
+*Default value:* `false`
+
+=== Example: using `sandbox_iframes` option
+
+[source,js]
+----
+tinymce.init({
+  selector: 'textarea',  // change this value according to your html
+  sandbox_iframes: true
+});
+----
--- a/modules/ROOT/partials/security/securing-embedded-external-resources.adoc
+++ b/modules/ROOT/partials/security/securing-embedded-external-resources.adoc
@ -1,43 +0,0 @@
-[[sandbox-iframes-option]]
-==== `sandbox_iframes` option
-
-This option controls whether the editor will add a `sandbox=""` attribute to all `<iframe>` elements. This will restrict the iframe’s embedded resource from performing potentially malicious actions including scripting, file downloads, browser popups, passing the same-origin policy, among others. Reference: https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#sandbox[MDN].
-
-*Type:* `+Boolean+`
-
-*Possible values:* `true`, `false`
-
-*Default value:* `false`
-
-===== Example: using `sandbox_iframes` option
-
-[source,js]
----
-tinymce.init({
-  selector: 'textarea',  // change this value according to your html
-  sandbox_iframes: true
-});
----
-
-[[convert-unsafe-embeds]]
-==== `convert_unsafe_embeds` option
-
-This option controls whether an `<object>` and `<embed>` elements will be converted to more restrictive alternatives, namely `<img>` for image MIME types, `<video>` for video MIME types, `<audio>` for audio MIME types, or `<iframe>` for other or unspecified MIME types. 
-
-When converted to `<img>`, `<video>`, or `<audio>`, this prevents the embedded resource from performing potentially malicious actions including scripting, file downloads, browser popups, passing the same-origin policy, among others. Enable the `sandbox_iframes` option in addition to ensure <iframe> conversions are also neutralised.
-
-*Type:* `+Boolean+`
-
-*Possible values:* `true`, `false`
-
-*Default value:* `false`
-
-===== Example: using `convert_unsafe_embeds` option
-
-[source,js]
----
-tinymce.init({
-  selector: 'textarea',  // change this value according to your html
-  convert_unsafe_embeds: true
-});
----