Data
/
tinymce-docs
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
3365 Commits
32 Branches
0 Tags
96 MiB
 
 
 
 
 
 
Tree: 7b3bd93cad
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '7b3bd93cad'
${ noResults }
tinymce-docs/advanced/security.md

2.2 KiB
Raw Blame History

layout title title_nav description_short description keywords
default Security Security A statement on security. A statement on security. security xss scripting vulnerability hack hacker

Q: Is TinyMCE protected against XSS vulnerabilities?

TinyMCE filters out some of the more common XSS content like scripts from the content since it is common that the editor is used in a single page application. For additional security, consider passing it through server-side filters like HTMLPurifier.

Q: How do I setup Content Security Policy (CSP) with TinyMCE?

You can use TinyMCE with a CSP header, however, there are a few things that need to be enabled for the editor to function properly:

Here is a list of the directives that are required by TinyMCE and why they are required:

Directives Requirements
script-src 'self' *.tinymce.com; Scripts are sometimes loaded as script element with an src attribute.
connect-src 'self' *.tinymce.com; XMLHttpRequest are required by some services such as spellchecking.
img-src 'self' *.tinymce.com data: blob:; Images within the editor are sometimes base64 encoded or blob URLs or proxied through the cloud service.
style-src 'self' 'unsafe-inline'; Styles are used on dialogs/menus to position them relative to other elements.
font-src 'self' *.tinymce.com; Fonts are used for icons in the UI and is loaded from external files.

You can use this CSP header when served from the cloud:

<meta http-equiv="Content-Security-Policy" content="default-src 'none'; script-src 'self' *.tinymce.com *.tiny.cloud; connect-src 'self' *.tinymce.com *.tiny.cloud; img-src 'self' *.tinymce.com *.tiny.cloud data: blob:; style-src 'self' 'unsafe-inline' *.tinymce.com *.tiny.cloud; font-src 'self' *.tinymce.com *.tiny.cloud;" />

You can use this CSP header when served from a local domain excludes the *.tinymce.com domain:

<meta http-equiv="Content-Security-Policy" content="default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self' data: blob:; style-src 'self' 'unsafe-inline'; font-src 'self';" />