No Code Attached Yet
avatar brianteeman
brianteeman
11 Aug 2021

TinyMCE has an autosave plugin that is always enabled in Joomla. There is no configuration options or UI exposed within the Joomla implementation of TinyMCE.

The autosave plugin can do a lot of things but the only thing we use it for is to pop up an alert if you try to use the browser back button to leave an article which has unsaved changes.

This works by tinymce keeping a copy of an edited article in your browsers local storage.

The problem is that if you continue to leave the article the storage is not cleared AND it wont be until you edit the article again. So if you never re-visit your articles a copy will be kept in the browser local storage. Browser local storage is designed to be permanent and is fundamentally vulnerable to xss attack

After discussions with @SniperSister I would propose that the autosave plugin is disabled/removed from joomla and a different method is used to warn users who use the back button in their browser.

avatar brianteeman brianteeman - open - 11 Aug 2021
avatar joomla-cms-bot joomla-cms-bot - change - 11 Aug 2021
Labels Added: ?
avatar joomla-cms-bot joomla-cms-bot - labeled - 11 Aug 2021
avatar brianteeman
brianteeman - comment - 7 Dec 2021

Closed - no interest

avatar brianteeman brianteeman - change - 7 Dec 2021
Status New Closed
Closed_Date 0000-00-00 00:00:00 2021-12-07 17:00:02
Closed_By brianteeman
Labels Added: No Code Attached Yet
Removed: ?
avatar brianteeman brianteeman - close - 7 Dec 2021

Add a Comment

Login with GitHub to post a comment