mezzanine icon indicating copy to clipboard operation
mezzanine copied to clipboard
verified publisher icon stephenmcd

TinyMCE moxieplayer vulnerability

Open Olorin92 opened this issue 7 years ago • 2 comments

A vulnerability scanner we ran across our Django website (detectify) has flagged the moxieplayer.swf file served as part of the TinyMCE plugin as containing XSS vulnerabilities.

Looking at the plugin, it seems that it's fairly out of date, and the latest version no longer contains this file. I'm not sure what the best way around this is, but ideally we want to prevent this file from being served.

I'm not sure if there's a way to do that in Django already (i.e. serve all these files except the .swf one), if there is that's the easiest way to go. If not, I've made code changes to the tinymce_setup.js file in my own fork to make it work with the latest TinyMCE, but I did see comments regarding incompatibility a newer version of TinyMCE a few years ago, so not sure if that will still be an issue.

Happy to test more thoroughly and create a pull request if that's preferred.

Olorin92 avatar Sep 27 '18 01:09 Olorin92

We can definitely delete it. Go ahead with the PR if you like but let me know if you can't and I'll do it.

Thanks a lot.

stephenmcd avatar Oct 01 '18 18:10 stephenmcd

Great will do - I'll put in a pull request, but will do a bit more of a thorough test before I do that!

Olorin92 avatar Oct 01 '18 22:10 Olorin92