Skip to content
This repository was archived by the owner on Nov 6, 2025. It is now read-only.

Commit be1562e

Browse files
iOvergaardiOvergaard
committed
fix: Tinymce allows potentially unsafe embeds
This sets `convert_unsafe_embeds` to true to act as a workaround for CVE-2024-29881 seeing that we cannot upgrade to tinymce 7 at the moment. The only difference from TinyMCE 6 to 7 in this regard is that this option is set to true and is the official workaround. Fixes https://github.com/umbraco/Umbraco.CMS.Backoffice/security/dependabot/44
1 parent 6366776 commit be1562e

File tree

1 file changed

+1
-0
lines changed

1 file changed

+1
-0
lines changed

src/packages/tiny-mce/components/input-tiny-mce/input-tiny-mce.element.ts

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -243,6 +243,7 @@ export class UmbInputTinyMceElement extends UUIFormControlMixin(UmbLitElement, '
243243
paste_data_images: false,
244244
language: this.#getLanguage(),
245245
promotion: false,
246+
convert_unsafe_embeds: true, // [JOV] Workaround for CVE-2024-29881
246247

247248
// Extend with configuration options
248249
...configurationOptions,

0 commit comments

Comments
 (0)