Code samples don't work properly in tinyMCE

Question

Code samples don't work properly in tinyMCE

Closed this issue 5 months ago · 8 comments

If you insert anything beginning with <X, where X is any character, into tinyMCE as a code sample, it will be removed.

Steps to reproduce:

Create a Vulnerability and put the following code sample into any field using tinyMCE:

test_string1 = "abc<" # is ok

test_string2 = "<anything..." # everything after < disappears

def fibonacci(n):
    a, b = 0, 1
    sequence = []
    while len(sequence) < n: # ok
        sequence.append(a)
        a, b = b, a + b
    return sequence

print(fibonacci(10))

If you put a space after < or if it is anywhere but at the beginning of a new token, everything remains the same

test_string3 = "< anything" # this is fine

Click "Edit" to save the vulnerability
Open the vulnerability to see that the code has disappeared.

Additional notes

HTML tags also get removed even inside normal tinyMCE text input
Even if the code inside the code samples is OK and doesn't contain the < symbol, the sample is only editable and looks like a sample while it isn't saved. After reopening, it cannot be interacted with anymore and looks like plain text (as seen in the second image)

Answer 1 · 2024-08-09T17:04:39.000Z

Hi @jpostolk thanks for reporting this issue I will take it a look and I will let you know :)

Thank you
Best regards

Answer 2 · 2024-08-13T16:48:49.000Z

Update I found the problem there's a library that cleans the user input to avoid XSS. The code samples are detected as something malicious I will try to make some tweaks in order to resolve it

Answer 3 · 2024-08-14T12:28:43.000Z

Hi, thanks for the update!

Answer 4 · 2024-08-26T18:43:02.000Z

HI @jpostolk I created a new dev image with a tweak that should allow the code samples (It's only applied on vuln modules for the moment)

I fyou want to try it :)

git clone https://github.com/CervantesSec/docker.git

After that you need to start your docker containers:

docker-compose -p cervantes -f docker-compose-dev.yml up -d

Thank you :)
Best regards

Answer 5 · 2024-08-28T08:27:33.000Z

Hi, thank you for the update, I can confirm the removal of text/code is fixed :) However the code sample still isn't editable through the code sample feature after saving and still looks like plain text in the report

Is this something that might be implemented in the future? Not something that is necessary, just a nice to have.

Answer 6 · 2024-08-28T17:13:03.000Z

Hi @jpostolk I am still working on it and the code sample editing It's fixed I will create a new dev image :)

Edited: Dev Image created

About the plain text in the report the problem is that tinymce uses his own styling (prism.js) for the syntax colors, on the report generation the style used is the one that is defined in the vuln/component so the generator is not able to get the style from prism.js (idk if I am explained well) A possible tweak will be if tinymce is able to put style instead using a class but I need to check it

Thank you :)

Answer 7 · 2024-08-29T14:55:59.000Z

Hi, yes that makes sense. If tinymce would be able to do that it would be nice but it really is not necessary.

Once again many thanks :)

Answer 8 · 2024-08-30T16:02:21.000Z

HI @jpostolk I check it it's possible to do some tweaks on the generator to add a style but it will not be the same as the tinymce.

I will put it on backlog as a nice to have to in the future take it a look

I will close this issue :)

Best regards