[Security] Bump tinymce from 5.5.1 to 5.8.2

[dependabot-preview]

Bumps tinymce from 5.5.1 to 5.8.2. This update includes security fixes.

Vulnerabilities fixed

Sourced from The GitHub Security Advisory Database.

Regex denial of service vulnerability in codesample plugin

Impact

A regex denial of service (ReDoS) vulnerability was discovered in a dependency of the codesample plugin. The vulnerability allowed poorly formed ruby code samples to lock up the browser while performing syntax highlighting. This impacts users of the codesample plugin using TinyMCE 5.5.1 or lower.

Patches

This vulnerability has been patched in TinyMCE 5.6.0 by upgrading to a version of the dependency without the vulnerability.

Workarounds

To work around this vulnerability, either:

• Upgrade to TinyMCE 5.6.0 or higher
• Disable the codesample plugin
• Disable ruby code samples using the codesample_languages setting
• Override the PrismJS syntax highlighter to version 1.21.0 or higher using the codesample_global_prismjs setting

Acknowledgements

Tiny Technologies would like to thank Erik Krogh Kristensen at GitHub for discovering this vulnerability.

References

https://www.tiny.cloud/docs/release-notes/release-notes56/#securityfixes

For more information

... (truncated)

Affected versions: < 5.6.0

Sourced from The GitHub Security Advisory Database.

Cross-site scripting vulnerability in TinyMCE

Impact

A cross-site scripting (XSS) vulnerability was discovered in the URL sanitization logic of the core parser for form elements. The vulnerability allowed arbitrary JavaScript execution when inserting a specially crafted piece of content into the editor using the clipboard or APIs, and then submitting the form. However, as TinyMCE does not allow forms to be submitted while editing, the vulnerability could only be triggered when the content was previewed or rendered outside of the editor. This impacts all users who are using TinyMCE 5.7.0 or lower.

Patches

This vulnerability has been patched in TinyMCE 5.7.1 by improved URL sanitization logic.

Workarounds

To work around this vulnerability, either:

• Upgrade to TinyMCE 5.7.1 or higher
• Manually sanitize form URL attributes using a TinyMCE node filter.
• Disable form elements in your content using the invalid_elements setting.

Example: Sanitizing using a node filter

editor.parser.addNodeFilter('form', function(nodes) {
  nodes.forEach(function(node) {
    if (node.attributes) {
      node.attributes.forEach(function(attr) {
        var name = attr.name;
        var value = attr.value;
</tr></table> 

... (truncated)

Affected versions: < 5.7.1

Changelog

Sourced from tinymce's changelog.

5.8.2 - 2021-06-23

Fixed

• Fixed an issue when pasting cells from tables containing colgroups into tables without colgroups #TINY-6675
• Fixed an issue that could cause an invalid toolbar button state when multiple inline editors were on a single page #TINY-6297

5.8.1 - 2021-05-20

Fixed

• An unexpected exception was thrown when switching to readonly mode and adjusting the editor width #TINY-6383
• Content could be lost when the pagebreak_split_block setting was enabled #TINY-3388
• The list-style-type: none; style on nested list items was incorrectly removed when clearing formatting #TINY-6264
• URLs were not always detected when pasting over a selection. Patch contributed by jwcooper #TINY-6997
• Properties on the OpenNotification event were incorrectly namespaced #TINY-7486

5.8.0 - 2021-05-06

Added

• Added the PAGE_UP and PAGE_DOWN key code constants to the VK API #TINY-4612
• The editor resize handle can now be controlled using the keyboard #TINY-4823
• Added a new fixed_toolbar_container_target setting which renders the toolbar in the specified HTMLElement. Patch contributed by pvrobays

Improved

• The inline_boundaries feature now supports the home, end, pageup, and pagedown keys #TINY-4612
• Updated the formatter.matchFormat API to support matching formats with variables in the classes property #TINY-7227
• Added HTML5 audio and video elements to the default alignment formats #TINY-6633
• Added support for alpha list numbering to the list properties dialog #TINY-6891

Changed

• Updated the image dialog to display the class list dropdown as full-width if the caption checkbox is not present #TINY-6400
• Renamed the "H Align" and "V Align" input labels in the Table Cell Properties dialog to "Horizontal align" and "Vertical align" respectively #TINY-7285

Deprecated

• The undocumented setIconStroke Split Toolbar Button API has been deprecated and will be removed in a future release #TINY-3551

Fixed

• Fixed a bug where it wasn't possible to align nested list items #TINY-6567
• The RGB fields in the color picker dialog were not staying in sync with the color palette and hue slider #TINY-6952
• The color preview box in the color picker dialog was not correctly displaying the saturation and value of the chosen color #TINY-6952
• The color picker dialog will now show an alert if it is submitted with an invalid hex color code #TINY-2814
• Fixed a bug where the TableModified event was not fired when adding a table row with the Tab key #TINY-7006
• Added missing images_file_types setting to the exported TypeScript types #GH-6607
• Fixed a bug where lists pasted from Word with Roman numeral markers were not displayed correctly. Patch contributed by aautio #GH-6620
• The editor.insertContent API was incorrectly handling nested span elements with matching styles #TINY-6263
• The HTML5 small element could not be removed when clearing text formatting #TINY-6633
• The Oxide button text transform variable was incorrectly using capitalize instead of none. Patch contributed by dakur #GH-6341
• Fix dialog button text that was using title-style capitalization #TINY-6816
• Table plugin could perform operations on tables containing the inline editor #TINY-6625
• Fixed Tab key navigation inside table cells with a ranged selection #TINY-6638
• The foreground and background toolbar button color indicator is no longer blurry #TINY-3551

... (truncated)

Commits

• dbf8c9a Added version 5.8.2 release.
• 7bbf6f5 Added version 5.8.1 release.
• d235814 Added version 5.8.0 release.
• 8273fb3 Added version 5.7.1 release.
• 729e1f7 Added version 5.7.0 release.
• 310051d Added version 5.6.2 release.
• f78490b Added version 5.6.1 release.
• 933ded7 Added version 5.6.0 release.
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)