User tests: Successful: Unsuccessful:
This PR updates tinymce to version 4.5.11 - this is the highest version we can include in Joomla 3 due to browser support
Version 4.5.11 (2019-05-16)
Fixed bug where the editor would scroll to the top of the editable area if a dialog was closed in inline mode. #TINY-1073
Version 4.5.10 (2018-10-19)
Changed the contextual toolbar shortcut to Ctrl+F9 since an Edge shortcut interfered with the previous one.
Updated references to website and company name
Status | New | ⇒ | Pending |
Category | ⇒ | Administration Language & Strings External Library JavaScript Front End Plugins |
I have tested this item
I have tested this item
Status | Pending | ⇒ | Ready to Commit |
RTC
Status | Ready to Commit | ⇒ | Fixed in Code Base |
Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2019-06-05 16:35:07 |
Closed_By | ⇒ | HLeithner | |
Labels |
Added:
?
|
thx
thx
thanks
Could the introduction of this new version of Tiny MCE cause issues in modules that are created by third parties? I am using third party modules in which HTML markup is used, in textarea fields. Until J 3.9.6 this was no problem, but in J 3.9.8 all HTML markup is stripped out. Besides the update to J 3.9.8 no other settings were changed regarding Text Filtering and so on.
I have looked at the settings in the Tiny MCE plugin and tried different settings, without good result, the HTML markup gets stripped out of all fields in the third party module.
No this would have no impact
There is an issue with custom subfields and filtering html from textarea and edtor fields.
This is already fixed for the next version.
Do you mean this?
I know it is not core Joomla, but I would not have expected this.
I will download staging tomorrow and give it try again.
It's not related to my pr directly. I just provided a fix for a similiar issue for subform fields in com_fields::repeatable. And the issue here is not related to TinyMCE
All extensions that use subform fields MUST add an attribute filter
to their subform child fields of type editor
, textarea
, text
(maybe others, too) since Joomla 3.9.7 like it's common for "normal" JForm fields if you want to allow HTML input. Otherwise the validation falls back to STRING
, which is the common behavior for "normal" JForm fields.
e.g.
filter="safehtml"
filter="JComponentHelper::filterText"
filter="raw"
(bad decision in most cases)
Reason is a SECURITY fix in Joomla 3.9.7. Subform child fields weren't validated before that fix and for example JavaScript injections were possible without any cleaning.
Before that fix filter attributes in subform child fields were completely effectless!!
Example from core for a "good" field declaration:
<field
name="tag_list_description"
type="textarea"
class="inputbox"
label="COM_TAGS_SHOW_TAG_LIST_DESCRIPTION_LABEL"
description="COM_TAGS_TAG_LIST_DESCRIPTION_DESC"
rows="3"
cols="30"
filter="safehtml"
/>
FYI: Added info to docs: https://docs.joomla.org/Subform_form_field_type#Beware.21
Maybe it should be propagated at other locations, too.
Thanks @ReLater and @HLeithner , I have informed the author of this module already and send him the links to this thread and the docs.
@zero-24 @SniperSister can you take a look at rips please