Medium severity6.1OSV Advisory· Published Jun 19, 2024· Updated Apr 15, 2026
CVE-2024-38356
CVE-2024-38356
Description
TinyMCE is an open source rich text editor. A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s content extraction code. When using the noneditable_regexp option, specially crafted HTML attributes containing malicious code were able to be executed when content was extracted from the editor. This vulnerability has been patched in TinyMCE 7.2.0, TinyMCE 6.8.4 and TinyMCE 5.11.0 LTS by ensuring that, when using the noneditable_regexp option, any content within an attribute is properly verified to match the configured regular expression before being added. Users are advised to upgrade. There are no known workarounds for this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A cross-site scripting (XSS) vulnerability in TinyMCE's content extraction code when using the `noneditable_regexp` option allows specially crafted HTML attributes to execute malicious scripts. Patched in versions 7.2.0, 6.8.4, and 5.11.0 LTS.
Vulnerability
Overview
A cross-site scripting (XSS) vulnerability was discovered in TinyMCE's content extraction code. When using the noneditable_regexp option, specially crafted HTML attributes containing malicious code were able to be executed when content was extracted from the editor [2]. The root cause lies in insufficient validation of attribute content against the configured regular expression before it is added to the extracted output.
Exploitation
This vulnerability can be triggered by an attacker who can provide content to the TinyMCE editor that includes a noneditable_regexp configuration. The attack vector involves injecting malicious code into an HTML attribute that bypasses the regexp check during content extraction. No authentication or special network position is required beyond the ability to influence the editor's input content.
Impact
Successful exploitation of this XSS vulnerability allows an attacker to execute arbitrary JavaScript in the context of the user's browser when the extracted content is processed. This can lead to theft of sensitive data, session hijacking, or other malicious actions typically associated with XSS attacks [1].
Mitigation
The vulnerability has been patched in TinyMCE 7.2.0, 6.8.4, and 5.11.0 LTS. Users are advised to upgrade to these patched versions. There are no known workarounds for this vulnerability [2].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
tinymcenpm | < 5.11.0 | 5.11.0 |
TinyMCENuGet | < 5.11.0 | 5.11.0 |
tinymce/tinymcePackagist | < 5.11.0 | 5.11.0 |
tinymcenpm | >= 6.0.0, < 6.8.4 | 6.8.4 |
tinymcenpm | >= 7.0.0, < 7.2.0 | 7.2.0 |
TinyMCENuGet | >= 6.0.0, < 6.8.4 | 6.8.4 |
TinyMCENuGet | >= 7.0.0, < 7.2.0 | 7.2.0 |
tinymce/tinymcePackagist | >= 6.0.0, < 6.8.4 | 6.8.4 |
tinymce/tinymcePackagist | >= 7.0.0, < 7.2.0 | 7.2.0 |
django-tinymcePyPI | < 4.1.0 | 4.1.0 |
Affected products
5- ghsa-coords4 versions
< 5.11.0+ 3 more
- (no CPE)range: < 5.11.0
- (no CPE)range: < 5.11.0
- (no CPE)range: < 5.11.0
- (no CPE)range: < 4.1.0
Patches
48a7b799033af8ca0674d43ff5acb741665a9TINY-11019 & TINY-11022: Fixed issues with noscript encoding and noneditable_regexp option (#15)
8 files changed · +124 −20
modules/tinymce/CHANGELOG.md+6 −0 modified@@ -6,6 +6,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## Unreleased +## 6.8.4 - 2024-06-19 + +### Fixed +- HTML entities that were double decoded in `noscript` elements caused an XSS vulnerability. #TINY-11019 +- It was possible to inject XSS HTML that was not matching the regexp when using the `noneditable_regexp` option. #TINY-11022 + ## 6.8.3 - 2024-02-08 ### Changed
modules/tinymce/package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "tinymce", - "version": "6.8.3", + "version": "6.8.4", "private": true, "repository": { "type": "git",
modules/tinymce/src/core/main/ts/api/html/DomParser.ts+1 −1 modified@@ -92,7 +92,7 @@ const transferChildren = (parent: AstNode, nativeParent: Node, specialElements: const parentName = parent.name; // Exclude the special elements where the content is RCDATA as their content needs to be parsed instead of being left as plain text // See: https://html.spec.whatwg.org/multipage/parsing.html#parsing-html-fragments - const isSpecial = parentName in specialElements && parentName !== 'title' && parentName !== 'textarea'; + const isSpecial = parentName in specialElements && parentName !== 'title' && parentName !== 'textarea' && parentName !== 'noscript'; const childNodes = nativeParent.childNodes; for (let ni = 0, nl = childNodes.length; ni < nl; ni++) {
modules/tinymce/src/core/main/ts/dom/DomSerializerFilters.ts+0 −12 modified@@ -2,7 +2,6 @@ import { Arr, Optional } from '@ephox/katamari'; import DOMUtils from '../api/dom/DOMUtils'; import DomParser from '../api/html/DomParser'; -import Entities from '../api/html/Entities'; import AstNode from '../api/html/Node'; import * as Zwsp from '../text/Zwsp'; import { DomSerializerSettings } from './DomSerializerImpl'; @@ -83,17 +82,6 @@ const register = (htmlParser: DomParser, settings: DomSerializerSettings, dom: D } }); - htmlParser.addNodeFilter('noscript', (nodes) => { - let i = nodes.length; - while (i--) { - const node = nodes[i].firstChild; - - if (node) { - node.value = Entities.decode(node.value ?? ''); - } - } - }); - // Force script into CDATA sections and remove the mce- prefix also add comments around styles htmlParser.addNodeFilter('script,style', (nodes, name) => { const trim = (value: string) => {
modules/tinymce/src/core/main/ts/html/NonEditableFilter.ts+19 −5 modified@@ -1,3 +1,5 @@ +import { Arr } from '@ephox/katamari'; + import Editor from '../api/Editor'; import { SetContentEvent } from '../api/EventTypes'; import AstNode from '../api/html/Node'; @@ -52,6 +54,13 @@ const convertRegExpsToNonEditable = (editor: Editor, nonEditableRegExps: RegExp[ e.content = content; }; +const isValidContent = (nonEditableRegExps: RegExp[], content: string) => { + return Arr.forall(nonEditableRegExps, (re) => { + const matches = content.match(re); + return matches !== null && matches[0].length === content.length; + }); +}; + const setup = (editor: Editor): void => { const contentEditableAttrName = 'contenteditable'; @@ -91,11 +100,16 @@ const setup = (editor: Editor): void => { continue; } - if (nonEditableRegExps.length > 0 && node.attr('data-mce-content')) { - node.name = '#text'; - node.type = 3; - node.raw = true; - node.value = node.attr('data-mce-content'); + const content = node.attr('data-mce-content'); + if (nonEditableRegExps.length > 0 && content) { + if (isValidContent(nonEditableRegExps, content)) { + node.name = '#text'; + node.type = 3; + node.raw = true; + node.value = content; + } else { + node.remove(); + } } else { node.attr(contentEditableAttrName, null); }
modules/tinymce/src/core/test/ts/browser/content/EditorContentTest.ts+33 −0 modified@@ -1,3 +1,4 @@ +import { Waiter } from '@ephox/agar'; import { beforeEach, context, describe, it } from '@ephox/bedrock-client'; import { Arr, Type } from '@ephox/katamari'; import { PlatformDetection } from '@ephox/sand'; @@ -675,4 +676,36 @@ describe('browser.tinymce.core.content.EditorContentTest', () => { TinyAssertions.assertContent(editor, '<svg width="100" height="100"><circle cx="50" cy="50" r="40" stroke="black" stroke-width="3" fill="red"><script>alert(1)</script></circle></svg>'); }); }); + + context('Special elements', () => { + const hook = TinyHooks.bddSetup<Editor>({ + base_url: '/project/tinymce/js/tinymce' + }, []); + + it('TINY-11019: Should not be possible to run scripts inside noscript elements', async () => { + const editor = hook.editor(); + let state = false; + const editorWinGlobal = editor.getWin() as unknown as any; + + editorWinGlobal.xss = () => { + state = true; + }; + + editor.setContent('<noscript></noscript><style onload=xss()></style></noscript>'); + + await Waiter.pWait(1); + + delete editorWinGlobal.xss; + + assert.isFalse(state, 'xss function should not have been called'); + TinyAssertions.assertContent(editor, '<noscript></noscript><style onload=xss()></style></noscript>'); + }); + + it('TINY-11019: Should not double decode noscript contents', () => { + const editor = hook.editor(); + + editor.setContent('<noscript>&lt;/noscript&></noscript>'); + TinyAssertions.assertContent(editor, '<noscript>&lt;/noscript&></noscript>'); + }); + }); });
modules/tinymce/src/core/test/ts/browser/html/DomParserTest.ts+45 −0 modified@@ -1729,4 +1729,49 @@ describe('browser.tinymce.core.html.DomParserTest', () => { assert.equal(serializedHtml, '<div><svg> <circle> </circle> </svg> <svg> <circle> </circle> </svg></div>'); }); }); + + context('Special elements', () => { + const schema = Schema({ extended_valid_elements: 'script,noembed,xmp', valid_children: '+body[style]' }); + + const testSpecialElement = (testCase: { input: string; expected: string }) => { + const fragment = DomParser({ forced_root_block: 'p', sanitize: false }, schema).parse(testCase.input); + const serializedHtml = HtmlSerializer({}, schema).serialize(fragment); + + assert.equal(serializedHtml, testCase.expected); + }; + + it('TINY-11019: Should not entity encode text in script elements', () => testSpecialElement({ + input: '<script>if (a < b) alert(1)</script>', + expected: '<script>if (a < b) alert(1)</script>' + })); + + it('TINY-11019: Should not entity encode text in style elements', () => testSpecialElement({ + input: '<style>b > i {}</style>', + expected: '<style>b > i {}</style>' + })); + + it('TINY-11019: Should not entity decode text inside textarea elements', () => testSpecialElement({ + input: '<div><textarea><>&</textarea></div>', + expected: '<div><textarea><>&</textarea></div>' + })); + + it('TINY-11019: Should not entity encode text inside textarea elements', () => testSpecialElement({ + input: '<div><textarea><b>test</b></textarea></div>', + expected: '<div><textarea><b>test</b></textarea></div>' + })); + + const excluded = [ 'script', 'style', 'title', 'plaintext', 'textarea' ]; + const specialElements = Arr.filter(Obj.keys(schema.getSpecialElements()), (name) => !Arr.contains(excluded, name)); + Arr.each(specialElements, (elementName) => { + it(`TINY-11019: Should not entity decode text inside ${elementName} elements`, () => testSpecialElement({ + input: `<div><${elementName}><>&</${elementName}></div>`, + expected: `<div><${elementName}><>&</${elementName}></div>` + })); + + it(`TINY-11019: Should not entity encode elements inside ${elementName} elements`, () => testSpecialElement({ + input: `<div><${elementName}><em>test</em></${elementName}></div>`, + expected: `<div><${elementName}><em>test</em></${elementName}></div>` + })); + }); + }); });
modules/tinymce/src/core/test/ts/browser/html/NonEditableFilterTest.ts+19 −1 modified@@ -1,4 +1,4 @@ -import { describe, it } from '@ephox/bedrock-client'; +import { context, describe, it } from '@ephox/bedrock-client'; import { TinyAssertions, TinyHooks } from '@ephox/wrap-mcagar'; import { assert } from 'chai'; @@ -39,4 +39,22 @@ describe('browser.tinymce.core.html.NonEditableFilterTest', () => { editor.setContent('<span contenteditable="false">{test1}</span>'); assert.lengthOf(editor.dom.select('span'), 1); }); + + context('Noneditable content injection', () => { + const testNoneditableContentInjection = (testCase: { input: string; expected: string }) => { + const editor = hook.editor(); + editor.setContent(testCase.input); + TinyAssertions.assertContent(editor, testCase.expected); + }; + + it('TINY-11022: noneditable elements should not be allowed to include content that does not match the pattern', () => testNoneditableContentInjection({ + input: '<p>foo<span class="mceNonEditable" data-mce-content="<b>baz</b>" contenteditable="false">something</span>bar</p>', + expected: '<p>foobar</p>' + })); + + it('TINY-11022: noneditable elements should not be allowed to include content that just partially matches the pattern', () => testNoneditableContentInjection({ + input: '<p>foo<span class="mceNonEditable" data-mce-content="{test1}<b>baz</b>" contenteditable="false">something</span>bar</p>', + expected: '<p>foobar</p>' + })); + }); });
a9fb858509f8TINY-11019 & TINY-11022: Fixed issues with noscript encoding and noneditable_regexp option (#16)
8 files changed · +129 −19
.changes/unreleased/tinymce-TINY-11019-2024-06-11.yaml+6 −0 added@@ -0,0 +1,6 @@ +project: tinymce +kind: Fixed +body: HTML entities that were double decoded in `noscript` elements caused an XSS vulnerability. +time: 2024-06-11T14:05:19.634277+02:00 +custom: + Issue: TINY-11019
.changes/unreleased/tinymce-TINY-11022-2024-06-12.yaml+6 −0 added@@ -0,0 +1,6 @@ +project: tinymce +kind: Fixed +body: It was possible to inject XSS HTML that was not matching the regexp when using the `noneditable_regexp` option. +time: 2024-06-12T07:27:17.817625+02:00 +custom: + Issue: TINY-11022
modules/tinymce/src/core/main/ts/api/html/DomParser.ts+1 −1 modified@@ -90,7 +90,7 @@ const transferChildren = (parent: AstNode, nativeParent: Node, specialElements: const parentName = parent.name; // Exclude the special elements where the content is RCDATA as their content needs to be parsed instead of being left as plain text // See: https://html.spec.whatwg.org/multipage/parsing.html#parsing-html-fragments - const isSpecial = parentName in specialElements && parentName !== 'title' && parentName !== 'textarea'; + const isSpecial = parentName in specialElements && parentName !== 'title' && parentName !== 'textarea' && parentName !== 'noscript'; const childNodes = nativeParent.childNodes; for (let ni = 0, nl = childNodes.length; ni < nl; ni++) {
modules/tinymce/src/core/main/ts/dom/DomSerializerFilters.ts+0 −12 modified@@ -2,7 +2,6 @@ import { Arr, Optional } from '@ephox/katamari'; import DOMUtils from '../api/dom/DOMUtils'; import DomParser from '../api/html/DomParser'; -import Entities from '../api/html/Entities'; import AstNode from '../api/html/Node'; import * as Zwsp from '../text/Zwsp'; import { DomSerializerSettings } from './DomSerializerImpl'; @@ -83,17 +82,6 @@ const register = (htmlParser: DomParser, settings: DomSerializerSettings, dom: D } }); - htmlParser.addNodeFilter('noscript', (nodes) => { - let i = nodes.length; - while (i--) { - const node = nodes[i].firstChild; - - if (node) { - node.value = Entities.decode(node.value ?? ''); - } - } - }); - // Force script into CDATA sections and remove the mce- prefix also add comments around styles htmlParser.addNodeFilter('script,style', (nodes, name) => { const trim = (value: string) => {
modules/tinymce/src/core/main/ts/html/NonEditableFilter.ts+19 −5 modified@@ -1,3 +1,5 @@ +import { Arr } from '@ephox/katamari'; + import Editor from '../api/Editor'; import { SetContentEvent } from '../api/EventTypes'; import AstNode from '../api/html/Node'; @@ -52,6 +54,13 @@ const convertRegExpsToNonEditable = (editor: Editor, nonEditableRegExps: RegExp[ e.content = content; }; +const isValidContent = (nonEditableRegExps: RegExp[], content: string) => { + return Arr.forall(nonEditableRegExps, (re) => { + const matches = content.match(re); + return matches !== null && matches[0].length === content.length; + }); +}; + const setup = (editor: Editor): void => { const contentEditableAttrName = 'contenteditable'; @@ -91,11 +100,16 @@ const setup = (editor: Editor): void => { continue; } - if (nonEditableRegExps.length > 0 && node.attr('data-mce-content')) { - node.name = '#text'; - node.type = 3; - node.raw = true; - node.value = node.attr('data-mce-content'); + const content = node.attr('data-mce-content'); + if (nonEditableRegExps.length > 0 && content) { + if (isValidContent(nonEditableRegExps, content)) { + node.name = '#text'; + node.type = 3; + node.raw = true; + node.value = content; + } else { + node.remove(); + } } else { node.attr(contentEditableAttrName, null); }
modules/tinymce/src/core/test/ts/browser/content/EditorContentTest.ts+33 −0 modified@@ -1,3 +1,4 @@ +import { Waiter } from '@ephox/agar'; import { beforeEach, context, describe, it } from '@ephox/bedrock-client'; import { Arr, Type } from '@ephox/katamari'; import { TinyApis, TinyAssertions, TinyHooks } from '@ephox/wrap-mcagar'; @@ -687,4 +688,36 @@ describe('browser.tinymce.core.content.EditorContentTest', () => { TinyAssertions.assertContent(editor, '<svg width="100" height="100"><circle cx="50" cy="50" r="40" stroke="black" stroke-width="3" fill="red"><script>alert(1)</script></circle></svg>'); }); }); + + context('Special elements', () => { + const hook = TinyHooks.bddSetup<Editor>({ + base_url: '/project/tinymce/js/tinymce' + }, []); + + it('TINY-11019: Should not be possible to run scripts inside noscript elements', async () => { + const editor = hook.editor(); + let state = false; + const editorWinGlobal = editor.getWin() as unknown as any; + + editorWinGlobal.xss = () => { + state = true; + }; + + editor.setContent('<noscript></noscript><style onload=xss()></style></noscript>'); + + await Waiter.pWait(1); + + delete editorWinGlobal.xss; + + assert.isFalse(state, 'xss function should not have been called'); + TinyAssertions.assertContent(editor, '<noscript></noscript><style onload=xss()></style></noscript>'); + }); + + it('TINY-11019: Should not double decode noscript contents', () => { + const editor = hook.editor(); + + editor.setContent('<noscript>&lt;/noscript&></noscript>'); + TinyAssertions.assertContent(editor, '<noscript>&lt;/noscript&></noscript>'); + }); + }); });
modules/tinymce/src/core/test/ts/browser/html/DomParserTest.ts+45 −0 modified@@ -1738,6 +1738,51 @@ describe('browser.tinymce.core.html.DomParserTest', () => { const serializedHtml = HtmlSerializer({}, schema).serialize(DomParser({ forced_root_block: 'p' }, schema).parse(input)); assert.equal(serializedHtml, '<div><math> <mrow> </mrow> </math> <math> </math></div>'); }); + }); + context('Special elements', () => { + const schema = Schema({ extended_valid_elements: 'script,noembed,xmp', valid_children: '+body[style]' }); + + const testSpecialElement = (testCase: { input: string; expected: string }) => { + const fragment = DomParser({ forced_root_block: 'p', sanitize: false }, schema).parse(testCase.input); + const serializedHtml = HtmlSerializer({}, schema).serialize(fragment); + + assert.equal(serializedHtml, testCase.expected); + }; + + it('TINY-11019: Should not entity encode text in script elements', () => testSpecialElement({ + input: '<script>if (a < b) alert(1)</script>', + expected: '<script>if (a < b) alert(1)</script>' + })); + + it('TINY-11019: Should not entity encode text in style elements', () => testSpecialElement({ + input: '<style>b > i {}</style>', + expected: '<style>b > i {}</style>' + })); + + it('TINY-11019: Should not entity decode text inside textarea elements', () => testSpecialElement({ + input: '<div><textarea><>&</textarea></div>', + expected: '<div><textarea><>&</textarea></div>' + })); + + it('TINY-11019: Should not entity encode text inside textarea elements', () => testSpecialElement({ + input: '<div><textarea><b>test</b></textarea></div>', + expected: '<div><textarea><b>test</b></textarea></div>' + })); + + const excluded = [ 'script', 'style', 'title', 'plaintext', 'textarea' ]; + const specialElements = Arr.filter(Obj.keys(schema.getSpecialElements()), (name) => !Arr.contains(excluded, name)); + Arr.each(specialElements, (elementName) => { + it(`TINY-11019: Should not entity decode text inside ${elementName} elements`, () => testSpecialElement({ + input: `<div><${elementName}><>&</${elementName}></div>`, + expected: `<div><${elementName}><>&</${elementName}></div>` + })); + + it(`TINY-11019: Should not entity encode elements inside ${elementName} elements`, () => testSpecialElement({ + input: `<div><${elementName}><em>test</em></${elementName}></div>`, + expected: `<div><${elementName}><em>test</em></${elementName}></div>` + })); + }); + }); });
modules/tinymce/src/core/test/ts/browser/html/NonEditableFilterTest.ts+19 −1 modified@@ -1,4 +1,4 @@ -import { describe, it } from '@ephox/bedrock-client'; +import { context, describe, it } from '@ephox/bedrock-client'; import { TinyAssertions, TinyHooks } from '@ephox/wrap-mcagar'; import { assert } from 'chai'; @@ -39,4 +39,22 @@ describe('browser.tinymce.core.html.NonEditableFilterTest', () => { editor.setContent('<span contenteditable="false">{test1}</span>'); assert.lengthOf(editor.dom.select('span'), 1); }); + + context('Noneditable content injection', () => { + const testNoneditableContentInjection = (testCase: { input: string; expected: string }) => { + const editor = hook.editor(); + editor.setContent(testCase.input); + TinyAssertions.assertContent(editor, testCase.expected); + }; + + it('TINY-11022: noneditable elements should not be allowed to include content that does not match the pattern', () => testNoneditableContentInjection({ + input: '<p>foo<span class="mceNonEditable" data-mce-content="<b>baz</b>" contenteditable="false">something</span>bar</p>', + expected: '<p>foobar</p>' + })); + + it('TINY-11022: noneditable elements should not be allowed to include content that just partially matches the pattern', () => testNoneditableContentInjection({ + input: '<p>foo<span class="mceNonEditable" data-mce-content="{test1}<b>baz</b>" contenteditable="false">something</span>bar</p>', + expected: '<p>foobar</p>' + })); + }); });
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- github.com/advisories/GHSA-9hcv-j9pv-qmphghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-38356ghsaADVISORY
- github.com/tinymce/tinymce/commit/5acb741665a98e83d62b91713c800abbff43b00dnvdWEB
- github.com/tinymce/tinymce/commit/a9fb858509f86dacfa8b01cfd34653b408983ac0ghsaWEB
- github.com/tinymce/tinymce/security/advisories/GHSA-9hcv-j9pv-qmphnvdWEB
- owasp.org/www-community/attacks/xssnvdWEB
- www.tiny.cloud/docs/tinymce/6/6.8.4-release-notes/nvdWEB
- www.tiny.cloud/docs/tinymce/7/7.2-release-notes/nvdWEB
- www.tiny.cloud/docs/tinymce/latest/7.2-release-notes/ghsaWEB
News mentions
0No linked articles in our index yet.