GHSA-5vm8-hhgr-jcjp: 
JavaScript vulnerability analysis and mitigation

A cross-site scripting (XSS) vulnerability (GHSA-5vm8-hhgr-jcjp) was discovered in TinyMCE versions prior to 5.7.1. The vulnerability was identified in May 2021 and affects the URL sanitization logic of the core parser for form elements. The issue was discovered by Mikhail Khramenkov at Solar Security Research Team and was assigned a moderate severity rating (GitHub Advisory).

The vulnerability exists in the URL sanitization logic of the core parser for form elements. It enables arbitrary JavaScript execution when a specially crafted piece of content is inserted into the editor using either the clipboard or APIs, followed by form submission. Notably, since TinyMCE prevents form submission during editing, the vulnerability can only be triggered when content is previewed or rendered outside of the editor (GitHub Advisory).

The vulnerability affects all users running TinyMCE version 5.7.0 or lower. When exploited, it could allow attackers to execute arbitrary JavaScript code through specially crafted content, particularly when content is previewed or rendered outside the editor environment (GitHub Advisory).

The vulnerability has been patched in TinyMCE 5.7.1 through improved URL sanitization logic. For users unable to upgrade immediately, alternative workarounds include manually sanitizing form URL attributes using a TinyMCE node filter or disabling form elements in content using the invalid_elements setting. Example workaround code is provided in the advisory for both approaches (GitHub Advisory).