Medium severity6.1OSV Advisory· Published Jun 19, 2024· Updated Apr 15, 2026
CVE-2024-38357
CVE-2024-38357
Description
TinyMCE is an open source rich text editor. A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s content parsing code. This allowed specially crafted noscript elements containing malicious code to be executed when that content was loaded into the editor. This vulnerability has been patched in TinyMCE 7.2.0, TinyMCE 6.8.4 and TinyMCE 5.11.0 LTS by ensuring that content within noscript elements are properly parsed. Users are advised to upgrade. There are no known workarounds for this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
TinyMCE content parsing flaw allowed XSS via crafted noscript elements; patched in versions 7.2.0, 6.8.4, and 5.11.0.
Vulnerability
Description
TinyMCE, an open-source rich text editor, contains a cross-site scripting (XSS) vulnerability in its content parsing code. The editor fails to properly handle specially crafted ` elements, allowing malicious JavaScript to be injected when the content is loaded into the editor. This flaw stems from inadequate sanitization of HTML within ` tags during content parsing [1][2].
Attack
Vector
An attacker can exploit this by crafting content containing malicious `` elements. When a victim loads this content into a vulnerable TinyMCE instance, the injected script executes in the context of the editor's domain. The attack does not require authentication beyond having access to the editor and the ability to submit or share crafted content [1][3].
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim's browser. This can lead to theft of session cookies, exfiltration of sensitive data, page content manipulation, or actions performed on behalf of the authenticated user. The vulnerability is rated Medium (CVSS 6.1) due to its ability to compromise confidentiality and integrity [1][2].
Mitigation
TinyMCE has patched this vulnerability in version 7.2.0, 6.8.4, and 5.11.0 LTS by ensuring `` elements are properly parsed. All users are advised to upgrade to these versions. No known workarounds are available; upgrading is the only remediation [2][3].
References
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
tinymcenpm | < 5.11.0 | 5.11.0 |
TinyMCENuGet | < 5.11.0 | 5.11.0 |
tinymce/tinymcePackagist | < 5.11.0 | 5.11.0 |
tinymcenpm | >= 6.0.0, < 6.8.4 | 6.8.4 |
tinymcenpm | >= 7.0.0, < 7.2.0 | 7.2.0 |
TinyMCENuGet | >= 6.0.0, < 6.8.4 | 6.8.4 |
TinyMCENuGet | >= 7.0.0, < 7.2.0 | 7.2.0 |
tinymce/tinymcePackagist | >= 6.0.0, < 6.8.4 | 6.8.4 |
tinymce/tinymcePackagist | >= 7.0.0, < 7.2.0 | 7.2.0 |
django-tinymcePyPI | < 4.1.0 | 4.1.0 |
Affected products
5- ghsa-coords4 versions
< 5.11.0+ 3 more
- (no CPE)range: < 5.11.0
- (no CPE)range: < 5.11.0
- (no CPE)range: < 5.11.0
- (no CPE)range: < 4.1.0
Patches
48a7b799033af8ca0674d43ff5acb741665a9TINY-11019 & TINY-11022: Fixed issues with noscript encoding and noneditable_regexp option (#15)
8 files changed · +124 −20
modules/tinymce/CHANGELOG.md+6 −0 modified@@ -6,6 +6,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## Unreleased +## 6.8.4 - 2024-06-19 + +### Fixed +- HTML entities that were double decoded in `noscript` elements caused an XSS vulnerability. #TINY-11019 +- It was possible to inject XSS HTML that was not matching the regexp when using the `noneditable_regexp` option. #TINY-11022 + ## 6.8.3 - 2024-02-08 ### Changed
modules/tinymce/package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "tinymce", - "version": "6.8.3", + "version": "6.8.4", "private": true, "repository": { "type": "git",
modules/tinymce/src/core/main/ts/api/html/DomParser.ts+1 −1 modified@@ -92,7 +92,7 @@ const transferChildren = (parent: AstNode, nativeParent: Node, specialElements: const parentName = parent.name; // Exclude the special elements where the content is RCDATA as their content needs to be parsed instead of being left as plain text // See: https://html.spec.whatwg.org/multipage/parsing.html#parsing-html-fragments - const isSpecial = parentName in specialElements && parentName !== 'title' && parentName !== 'textarea'; + const isSpecial = parentName in specialElements && parentName !== 'title' && parentName !== 'textarea' && parentName !== 'noscript'; const childNodes = nativeParent.childNodes; for (let ni = 0, nl = childNodes.length; ni < nl; ni++) {
modules/tinymce/src/core/main/ts/dom/DomSerializerFilters.ts+0 −12 modified@@ -2,7 +2,6 @@ import { Arr, Optional } from '@ephox/katamari'; import DOMUtils from '../api/dom/DOMUtils'; import DomParser from '../api/html/DomParser'; -import Entities from '../api/html/Entities'; import AstNode from '../api/html/Node'; import * as Zwsp from '../text/Zwsp'; import { DomSerializerSettings } from './DomSerializerImpl'; @@ -83,17 +82,6 @@ const register = (htmlParser: DomParser, settings: DomSerializerSettings, dom: D } }); - htmlParser.addNodeFilter('noscript', (nodes) => { - let i = nodes.length; - while (i--) { - const node = nodes[i].firstChild; - - if (node) { - node.value = Entities.decode(node.value ?? ''); - } - } - }); - // Force script into CDATA sections and remove the mce- prefix also add comments around styles htmlParser.addNodeFilter('script,style', (nodes, name) => { const trim = (value: string) => {
modules/tinymce/src/core/main/ts/html/NonEditableFilter.ts+19 −5 modified@@ -1,3 +1,5 @@ +import { Arr } from '@ephox/katamari'; + import Editor from '../api/Editor'; import { SetContentEvent } from '../api/EventTypes'; import AstNode from '../api/html/Node'; @@ -52,6 +54,13 @@ const convertRegExpsToNonEditable = (editor: Editor, nonEditableRegExps: RegExp[ e.content = content; }; +const isValidContent = (nonEditableRegExps: RegExp[], content: string) => { + return Arr.forall(nonEditableRegExps, (re) => { + const matches = content.match(re); + return matches !== null && matches[0].length === content.length; + }); +}; + const setup = (editor: Editor): void => { const contentEditableAttrName = 'contenteditable'; @@ -91,11 +100,16 @@ const setup = (editor: Editor): void => { continue; } - if (nonEditableRegExps.length > 0 && node.attr('data-mce-content')) { - node.name = '#text'; - node.type = 3; - node.raw = true; - node.value = node.attr('data-mce-content'); + const content = node.attr('data-mce-content'); + if (nonEditableRegExps.length > 0 && content) { + if (isValidContent(nonEditableRegExps, content)) { + node.name = '#text'; + node.type = 3; + node.raw = true; + node.value = content; + } else { + node.remove(); + } } else { node.attr(contentEditableAttrName, null); }
modules/tinymce/src/core/test/ts/browser/content/EditorContentTest.ts+33 −0 modified@@ -1,3 +1,4 @@ +import { Waiter } from '@ephox/agar'; import { beforeEach, context, describe, it } from '@ephox/bedrock-client'; import { Arr, Type } from '@ephox/katamari'; import { PlatformDetection } from '@ephox/sand'; @@ -675,4 +676,36 @@ describe('browser.tinymce.core.content.EditorContentTest', () => { TinyAssertions.assertContent(editor, '<svg width="100" height="100"><circle cx="50" cy="50" r="40" stroke="black" stroke-width="3" fill="red"><script>alert(1)</script></circle></svg>'); }); }); + + context('Special elements', () => { + const hook = TinyHooks.bddSetup<Editor>({ + base_url: '/project/tinymce/js/tinymce' + }, []); + + it('TINY-11019: Should not be possible to run scripts inside noscript elements', async () => { + const editor = hook.editor(); + let state = false; + const editorWinGlobal = editor.getWin() as unknown as any; + + editorWinGlobal.xss = () => { + state = true; + }; + + editor.setContent('<noscript></noscript><style onload=xss()></style></noscript>'); + + await Waiter.pWait(1); + + delete editorWinGlobal.xss; + + assert.isFalse(state, 'xss function should not have been called'); + TinyAssertions.assertContent(editor, '<noscript></noscript><style onload=xss()></style></noscript>'); + }); + + it('TINY-11019: Should not double decode noscript contents', () => { + const editor = hook.editor(); + + editor.setContent('<noscript>&lt;/noscript&></noscript>'); + TinyAssertions.assertContent(editor, '<noscript>&lt;/noscript&></noscript>'); + }); + }); });
modules/tinymce/src/core/test/ts/browser/html/DomParserTest.ts+45 −0 modified@@ -1729,4 +1729,49 @@ describe('browser.tinymce.core.html.DomParserTest', () => { assert.equal(serializedHtml, '<div><svg> <circle> </circle> </svg> <svg> <circle> </circle> </svg></div>'); }); }); + + context('Special elements', () => { + const schema = Schema({ extended_valid_elements: 'script,noembed,xmp', valid_children: '+body[style]' }); + + const testSpecialElement = (testCase: { input: string; expected: string }) => { + const fragment = DomParser({ forced_root_block: 'p', sanitize: false }, schema).parse(testCase.input); + const serializedHtml = HtmlSerializer({}, schema).serialize(fragment); + + assert.equal(serializedHtml, testCase.expected); + }; + + it('TINY-11019: Should not entity encode text in script elements', () => testSpecialElement({ + input: '<script>if (a < b) alert(1)</script>', + expected: '<script>if (a < b) alert(1)</script>' + })); + + it('TINY-11019: Should not entity encode text in style elements', () => testSpecialElement({ + input: '<style>b > i {}</style>', + expected: '<style>b > i {}</style>' + })); + + it('TINY-11019: Should not entity decode text inside textarea elements', () => testSpecialElement({ + input: '<div><textarea><>&</textarea></div>', + expected: '<div><textarea><>&</textarea></div>' + })); + + it('TINY-11019: Should not entity encode text inside textarea elements', () => testSpecialElement({ + input: '<div><textarea><b>test</b></textarea></div>', + expected: '<div><textarea><b>test</b></textarea></div>' + })); + + const excluded = [ 'script', 'style', 'title', 'plaintext', 'textarea' ]; + const specialElements = Arr.filter(Obj.keys(schema.getSpecialElements()), (name) => !Arr.contains(excluded, name)); + Arr.each(specialElements, (elementName) => { + it(`TINY-11019: Should not entity decode text inside ${elementName} elements`, () => testSpecialElement({ + input: `<div><${elementName}><>&</${elementName}></div>`, + expected: `<div><${elementName}><>&</${elementName}></div>` + })); + + it(`TINY-11019: Should not entity encode elements inside ${elementName} elements`, () => testSpecialElement({ + input: `<div><${elementName}><em>test</em></${elementName}></div>`, + expected: `<div><${elementName}><em>test</em></${elementName}></div>` + })); + }); + }); });
modules/tinymce/src/core/test/ts/browser/html/NonEditableFilterTest.ts+19 −1 modified@@ -1,4 +1,4 @@ -import { describe, it } from '@ephox/bedrock-client'; +import { context, describe, it } from '@ephox/bedrock-client'; import { TinyAssertions, TinyHooks } from '@ephox/wrap-mcagar'; import { assert } from 'chai'; @@ -39,4 +39,22 @@ describe('browser.tinymce.core.html.NonEditableFilterTest', () => { editor.setContent('<span contenteditable="false">{test1}</span>'); assert.lengthOf(editor.dom.select('span'), 1); }); + + context('Noneditable content injection', () => { + const testNoneditableContentInjection = (testCase: { input: string; expected: string }) => { + const editor = hook.editor(); + editor.setContent(testCase.input); + TinyAssertions.assertContent(editor, testCase.expected); + }; + + it('TINY-11022: noneditable elements should not be allowed to include content that does not match the pattern', () => testNoneditableContentInjection({ + input: '<p>foo<span class="mceNonEditable" data-mce-content="<b>baz</b>" contenteditable="false">something</span>bar</p>', + expected: '<p>foobar</p>' + })); + + it('TINY-11022: noneditable elements should not be allowed to include content that just partially matches the pattern', () => testNoneditableContentInjection({ + input: '<p>foo<span class="mceNonEditable" data-mce-content="{test1}<b>baz</b>" contenteditable="false">something</span>bar</p>', + expected: '<p>foobar</p>' + })); + }); });
a9fb858509f8TINY-11019 & TINY-11022: Fixed issues with noscript encoding and noneditable_regexp option (#16)
8 files changed · +129 −19
.changes/unreleased/tinymce-TINY-11019-2024-06-11.yaml+6 −0 added@@ -0,0 +1,6 @@ +project: tinymce +kind: Fixed +body: HTML entities that were double decoded in `noscript` elements caused an XSS vulnerability. +time: 2024-06-11T14:05:19.634277+02:00 +custom: + Issue: TINY-11019
.changes/unreleased/tinymce-TINY-11022-2024-06-12.yaml+6 −0 added@@ -0,0 +1,6 @@ +project: tinymce +kind: Fixed +body: It was possible to inject XSS HTML that was not matching the regexp when using the `noneditable_regexp` option. +time: 2024-06-12T07:27:17.817625+02:00 +custom: + Issue: TINY-11022
modules/tinymce/src/core/main/ts/api/html/DomParser.ts+1 −1 modified@@ -90,7 +90,7 @@ const transferChildren = (parent: AstNode, nativeParent: Node, specialElements: const parentName = parent.name; // Exclude the special elements where the content is RCDATA as their content needs to be parsed instead of being left as plain text // See: https://html.spec.whatwg.org/multipage/parsing.html#parsing-html-fragments - const isSpecial = parentName in specialElements && parentName !== 'title' && parentName !== 'textarea'; + const isSpecial = parentName in specialElements && parentName !== 'title' && parentName !== 'textarea' && parentName !== 'noscript'; const childNodes = nativeParent.childNodes; for (let ni = 0, nl = childNodes.length; ni < nl; ni++) {
modules/tinymce/src/core/main/ts/dom/DomSerializerFilters.ts+0 −12 modified@@ -2,7 +2,6 @@ import { Arr, Optional } from '@ephox/katamari'; import DOMUtils from '../api/dom/DOMUtils'; import DomParser from '../api/html/DomParser'; -import Entities from '../api/html/Entities'; import AstNode from '../api/html/Node'; import * as Zwsp from '../text/Zwsp'; import { DomSerializerSettings } from './DomSerializerImpl'; @@ -83,17 +82,6 @@ const register = (htmlParser: DomParser, settings: DomSerializerSettings, dom: D } }); - htmlParser.addNodeFilter('noscript', (nodes) => { - let i = nodes.length; - while (i--) { - const node = nodes[i].firstChild; - - if (node) { - node.value = Entities.decode(node.value ?? ''); - } - } - }); - // Force script into CDATA sections and remove the mce- prefix also add comments around styles htmlParser.addNodeFilter('script,style', (nodes, name) => { const trim = (value: string) => {
modules/tinymce/src/core/main/ts/html/NonEditableFilter.ts+19 −5 modified@@ -1,3 +1,5 @@ +import { Arr } from '@ephox/katamari'; + import Editor from '../api/Editor'; import { SetContentEvent } from '../api/EventTypes'; import AstNode from '../api/html/Node'; @@ -52,6 +54,13 @@ const convertRegExpsToNonEditable = (editor: Editor, nonEditableRegExps: RegExp[ e.content = content; }; +const isValidContent = (nonEditableRegExps: RegExp[], content: string) => { + return Arr.forall(nonEditableRegExps, (re) => { + const matches = content.match(re); + return matches !== null && matches[0].length === content.length; + }); +}; + const setup = (editor: Editor): void => { const contentEditableAttrName = 'contenteditable'; @@ -91,11 +100,16 @@ const setup = (editor: Editor): void => { continue; } - if (nonEditableRegExps.length > 0 && node.attr('data-mce-content')) { - node.name = '#text'; - node.type = 3; - node.raw = true; - node.value = node.attr('data-mce-content'); + const content = node.attr('data-mce-content'); + if (nonEditableRegExps.length > 0 && content) { + if (isValidContent(nonEditableRegExps, content)) { + node.name = '#text'; + node.type = 3; + node.raw = true; + node.value = content; + } else { + node.remove(); + } } else { node.attr(contentEditableAttrName, null); }
modules/tinymce/src/core/test/ts/browser/content/EditorContentTest.ts+33 −0 modified@@ -1,3 +1,4 @@ +import { Waiter } from '@ephox/agar'; import { beforeEach, context, describe, it } from '@ephox/bedrock-client'; import { Arr, Type } from '@ephox/katamari'; import { TinyApis, TinyAssertions, TinyHooks } from '@ephox/wrap-mcagar'; @@ -687,4 +688,36 @@ describe('browser.tinymce.core.content.EditorContentTest', () => { TinyAssertions.assertContent(editor, '<svg width="100" height="100"><circle cx="50" cy="50" r="40" stroke="black" stroke-width="3" fill="red"><script>alert(1)</script></circle></svg>'); }); }); + + context('Special elements', () => { + const hook = TinyHooks.bddSetup<Editor>({ + base_url: '/project/tinymce/js/tinymce' + }, []); + + it('TINY-11019: Should not be possible to run scripts inside noscript elements', async () => { + const editor = hook.editor(); + let state = false; + const editorWinGlobal = editor.getWin() as unknown as any; + + editorWinGlobal.xss = () => { + state = true; + }; + + editor.setContent('<noscript></noscript><style onload=xss()></style></noscript>'); + + await Waiter.pWait(1); + + delete editorWinGlobal.xss; + + assert.isFalse(state, 'xss function should not have been called'); + TinyAssertions.assertContent(editor, '<noscript></noscript><style onload=xss()></style></noscript>'); + }); + + it('TINY-11019: Should not double decode noscript contents', () => { + const editor = hook.editor(); + + editor.setContent('<noscript>&lt;/noscript&></noscript>'); + TinyAssertions.assertContent(editor, '<noscript>&lt;/noscript&></noscript>'); + }); + }); });
modules/tinymce/src/core/test/ts/browser/html/DomParserTest.ts+45 −0 modified@@ -1738,6 +1738,51 @@ describe('browser.tinymce.core.html.DomParserTest', () => { const serializedHtml = HtmlSerializer({}, schema).serialize(DomParser({ forced_root_block: 'p' }, schema).parse(input)); assert.equal(serializedHtml, '<div><math> <mrow> </mrow> </math> <math> </math></div>'); }); + }); + context('Special elements', () => { + const schema = Schema({ extended_valid_elements: 'script,noembed,xmp', valid_children: '+body[style]' }); + + const testSpecialElement = (testCase: { input: string; expected: string }) => { + const fragment = DomParser({ forced_root_block: 'p', sanitize: false }, schema).parse(testCase.input); + const serializedHtml = HtmlSerializer({}, schema).serialize(fragment); + + assert.equal(serializedHtml, testCase.expected); + }; + + it('TINY-11019: Should not entity encode text in script elements', () => testSpecialElement({ + input: '<script>if (a < b) alert(1)</script>', + expected: '<script>if (a < b) alert(1)</script>' + })); + + it('TINY-11019: Should not entity encode text in style elements', () => testSpecialElement({ + input: '<style>b > i {}</style>', + expected: '<style>b > i {}</style>' + })); + + it('TINY-11019: Should not entity decode text inside textarea elements', () => testSpecialElement({ + input: '<div><textarea><>&</textarea></div>', + expected: '<div><textarea><>&</textarea></div>' + })); + + it('TINY-11019: Should not entity encode text inside textarea elements', () => testSpecialElement({ + input: '<div><textarea><b>test</b></textarea></div>', + expected: '<div><textarea><b>test</b></textarea></div>' + })); + + const excluded = [ 'script', 'style', 'title', 'plaintext', 'textarea' ]; + const specialElements = Arr.filter(Obj.keys(schema.getSpecialElements()), (name) => !Arr.contains(excluded, name)); + Arr.each(specialElements, (elementName) => { + it(`TINY-11019: Should not entity decode text inside ${elementName} elements`, () => testSpecialElement({ + input: `<div><${elementName}><>&</${elementName}></div>`, + expected: `<div><${elementName}><>&</${elementName}></div>` + })); + + it(`TINY-11019: Should not entity encode elements inside ${elementName} elements`, () => testSpecialElement({ + input: `<div><${elementName}><em>test</em></${elementName}></div>`, + expected: `<div><${elementName}><em>test</em></${elementName}></div>` + })); + }); + }); });
modules/tinymce/src/core/test/ts/browser/html/NonEditableFilterTest.ts+19 −1 modified@@ -1,4 +1,4 @@ -import { describe, it } from '@ephox/bedrock-client'; +import { context, describe, it } from '@ephox/bedrock-client'; import { TinyAssertions, TinyHooks } from '@ephox/wrap-mcagar'; import { assert } from 'chai'; @@ -39,4 +39,22 @@ describe('browser.tinymce.core.html.NonEditableFilterTest', () => { editor.setContent('<span contenteditable="false">{test1}</span>'); assert.lengthOf(editor.dom.select('span'), 1); }); + + context('Noneditable content injection', () => { + const testNoneditableContentInjection = (testCase: { input: string; expected: string }) => { + const editor = hook.editor(); + editor.setContent(testCase.input); + TinyAssertions.assertContent(editor, testCase.expected); + }; + + it('TINY-11022: noneditable elements should not be allowed to include content that does not match the pattern', () => testNoneditableContentInjection({ + input: '<p>foo<span class="mceNonEditable" data-mce-content="<b>baz</b>" contenteditable="false">something</span>bar</p>', + expected: '<p>foobar</p>' + })); + + it('TINY-11022: noneditable elements should not be allowed to include content that just partially matches the pattern', () => testNoneditableContentInjection({ + input: '<p>foo<span class="mceNonEditable" data-mce-content="{test1}<b>baz</b>" contenteditable="false">something</span>bar</p>', + expected: '<p>foobar</p>' + })); + }); });
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/advisories/GHSA-w9jx-4g6g-rp7xghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-38357ghsaADVISORY
- github.com/tinymce/tinymce/commit/5acb741665a98e83d62b91713c800abbff43b00dnvdWEB
- github.com/tinymce/tinymce/commit/a9fb858509f86dacfa8b01cfd34653b408983ac0ghsaWEB
- github.com/tinymce/tinymce/security/advisories/GHSA-w9jx-4g6g-rp7xnvdWEB
- owasp.org/www-community/attacks/xssnvdWEB
- www.tiny.cloud/docs/tinymce/6/6.8.4-release-notes/nvdWEB
- www.tiny.cloud/docs/tinymce/7/7.2-release-notes/nvdWEB
News mentions
0No linked articles in our index yet.