Merge remote-tracking branch 'origin/release/docs-6' into staging/docs-6

.api-version

@@ -1 +1 @@
-6.7.2
+6.7.3

changelog.md

@@ -7,6 +7,10 @@ The format is loosely based on [Keep a Changelog](https://keepachangelog.com/en/
 ### Unreleased
 
 
+### 2023-11-15
+
+- DOC-2204: added `6.7.3-release-notes.adoc` to project; updated `changelog.adoc`, `nav.adoc` and `release-notes.adoc` for the TinyMCE 6.7.3 release, and api-version bump for 6.7.3.
+
 ### 2023-11-01
 
 - DOC-2194: fix heading lvl in 6.7.2 release notes for fixes.
@@ -20,11 +24,6 @@ The format is loosely based on [Keep a Changelog](https://keepachangelog.com/en/
 
 - DOC-2192: added 6.7.2-specific entries to `changelog.adoc`, and api-version bump for 6.7.2.
 
-- DOC-2075: remove `tinymcespellchecker` configuration workaround from full-featured-demo with Premium plugins examples: `/modules/ROOT/examples/live-demos/full-featured/example.js` and `/modules/ROOT/examples/live-demos/full-featured/index.js`.
-- DOC-2182: added file, `/modules/ROOT/partials/configuration/indent.adoc`, documenting the `indent` option. Added `include::` statement to `/modules/ROOT/pages/content-filtering.adoc` pointing to this file.
-- DOC-2189: added template files with instructions to `-new-material-templates/plugin-documentation-templates/ROOT/pages`. Added further boilerplate — a generic version-required include statement — and instructions regarding this boilerplate to `pluginpage.adoc`. Added new template file-and-folder infrastructure, `/-new-material-templates/configuration-options-templates`. Added boilerplate and documentation to the files in this new infrastructure. Also corrected markup typo in `modules/ROOT/pages/available-menu-items.adoc`.
-- DOC-2177: Added documentation of the `picker_text` property to the `urlinput` dialog component of `dialog-components.adoc`.
-
 ### 2023-10-20
 
 - DOC-2200: Add CVE numbers and links to `6.7.1` release notes.
@@ -43,10 +42,6 @@ The format is loosely based on [Keep a Changelog](https://keepachangelog.com/en/
 - DOC-2027: added `/modules/ROOT/partials/configuration/help_accessibility.adoc`, documenting the `help_accessibility` option; edits, re-writes and re-structuring of `help.adoc`; plus copy-edits to `keyboard-shortcuts.adoc`, `tinymce-and-screenreaders.adoc` & `accessibility.adoc`.
 - DOC-2176: Removed references to which commercial plans Premium plugins are or are not available with.
 
-### 2023-09-17
-
-- DOC-2088: typos and other correction post-6.7 docs enterprise release.
-
 ### 2023-09-14
 
 - DOC-2008: cleanup and corrections in `changelog.md`; update version numbers string in `.api-version`.

modules/ROOT/nav.adoc

@@ -403,6 +403,9 @@
 ** xref:tinymce-and-cors.adoc[Cross-Origin Resource Sharing (CORS)]
 * Release information
 ** xref:release-notes.adoc[Release notes for TinyMCE 6]
+*** TinyMCE 6.7.3
+**** xref:6.7.3-release-notes.adoc#overview[Overview]
+**** xref:6.7.3-release-notes.adoc#security-fix[Security fix]
 *** TinyMCE 6.7.2
 **** xref:6.7.2-release-notes.adoc#overview[Overview]
 **** xref:accompanying-premium-self-hosted-server-side-component-changes[Accompanying Premium self-hosted server-side component changes]

modules/ROOT/pages/6.7.1-release-notes.adoc

@@ -42,8 +42,7 @@ GHSA: https://github.com/tinymce/tinymce/security/advisories/GHSA-v65r-p3vv-jjfv
 
 NOTE: Tiny Technologies would like to thank Masato Kinugawa of https://cure53.de/[Cure53] for discovering this vulnerability.
 
-
-### Notification messages containing HTML were not properly XSS sanitized before being displayed.
+=== Notification messages containing HTML were not properly XSS sanitized before being displayed.
 //#TINY-10286
 
 A https://owasp.org/www-community/attacks/xss/[cross-site scripting] (XSS) vulnerability was discovered in {productname}'s Notification Manager API. The vulnerability exploits {productname}'s unfiltered notification system, which is used in error handling. The conditions for this exploit requires carefully crafted malicious content to have been inserted into the editor and a notification to have been triggered.

modules/ROOT/pages/6.7.3-release-notes.adoc

@@ -0,0 +1,39 @@
+= TinyMCE 6.7.3
+:navtitle: TinyMCE 6.7.3
+:description: Release notes for TinyMCE 6.7.3
+:keywords: releasenotes, new, changes, bugfixes
+:page-toclevels: 1
+
+include::partial$misc/admon-releasenotes-for-stable.adoc[]
+
+[[overview]]
+== Overview
+
+{productname} 6.7.3 was released for {enterpriseversion} and {cloudname} on Wednesday, November 15^th^, 2023. These release notes provide an overview of the changes for {productname} 6.7.3, including:
+
+* xref:security-fixes[Security fixes]
+
+
+[[security-fixes]]
+== Security fixes
+
+{productname} 6.7.3 includes a fix for the following security issue:
+
+=== Special characters in unescaped text nodes can trigger mXSS when using TinyMCE undo/redo, getContentAPI, resetContentAPI, and Autosave plugin
+
+A https://researchgate.net/publication/266654651_mXSS_attacks_Attacking_well-secured_web-applications_by_using_innerHTML_mutations[mutation cross-site scripting] (mXSS) vulnerability was discovered in {productname}’s core undo/redo functionality and other APIs and plugins. Text nodes within specific parents are not escaped upon serialization according to the https://html.spec.whatwg.org/multipage/parsing.html#serialising-html-fragments[HTML standard]. If such text nodes contain a special character reserved as an internal marker, they can be combined with other HTML patterns to form malicious snippets. These snippets pass the initial sanitization layer when the content is parsed into the editor body, but can trigger XSS when the special internal marker is removed from the content and re-parsed. Such mutations occur when serialized HTML content is processed before being stored in the undo stack, or when the following APIs and plugins are used:
+
+* https://tiny.cloud/docs/tinymce/6/apis/tinymce.editor/#getContent[tinymce.Editor.getContent({ format: 'raw' })]
+* https://tiny.cloud/docs/tinymce/6/apis/tinymce.editor/#resetContent[tinymce.Editor.resetContent()]
+* https://tiny.cloud/docs/tinymce/6/autosave/[Autosave Plugin]
+
+This vulnerability has been patched in {productname} 6.7.3 by:
+
+* ensuring that any unescaped text nodes which contain the special internal marker are emptied before removing the marker from the rest of the HTML, and;
+* removing the special internal marker from content strings passed to `Editor.setContent`, `Editor.insertContent`, and `Editor.resetContent` APIs to prevent them from being loaded into the editor as user-provided content.
+
+CVE: pending.
+
+GHSA: https://github.com/tinymce/tinymce/security/advisories/GHSA-v626-r774-j7f8[GitHub Advisory].
+
+NOTE: Tiny Technologies would like to thank Masato Kinugawa of https://cure53.de/[Cure53] for discovering this vulnerability.

modules/ROOT/pages/changelog.adoc

@@ -4,6 +4,23 @@
 
 NOTE: This is the {productname} Community version changelog. For information about the latest {cloudname} or {enterpriseversion} Release, see: xref:release-notes.adoc[{productname} Release Notes].
 
+== 6.7.3 - 2023-11-15
+
+### Changed
+* Zero width no-break space (U+FEFF) characters are removed from content passed to `setContent`, `insertContent`, and `resetContent` APIs.
+* Zero width no-break space (U+FEFF) characters in initial content are not loaded into the editor upon initialization.
+
+### Fixed
+* Specific HTML content containing unescaped text nodes caused mXSS when using undo/redo.
+* Specific HTML content containing unescaped text nodes caused mXSS when using the `getContent` and `setContent` APIs with the `format: 'raw'` option, which also affected the `resetContent` API and the draft restoration feature of the Autosave plugin.
+
+== 6.7.2 - 2023-10-25
+
+=== Fixed
+* The function `getModifierState` did not work on events passed through the editor as expected.
+* Indenting or outdenting a list item that contained non list item siblings after it would result in those siblings being removed.
+* Removed use of async for editor rendering which caused visual blinking when reloading the editor in-place.
+* Toggling a list that contained a list item element — <li> — which, in turn, contained another list item element as its first child, removed other content within the first list item element.
 
 == 6.7.2 - 2023-10-25
 

modules/ROOT/pages/release-notes.adoc

@@ -9,6 +9,12 @@ This section lists the releases for {productname} 6 and the changes made in each
 [cols="1,1"]
 |===
 
+a|
+[.lead]
+xref:6.7.3-release-notes.adoc#overview[{productname} 6.7.3]
+
+Release notes for {productname} 6.7.3
+
 a|
 [.lead]
 xref:6.7.2-release-notes.adoc#overview[{productname} 6.7.2]

modules/ROOT/pages/tinymce-for-mobile.adoc

@@ -21,6 +21,8 @@ The mobile experience allows most of the {productname} plugins to work on mobile
 
 NOTE: iPads do not use the `+mobile+` part of the {productname} init configuration. This is due to a constraint added by Apple to return the environment as a "desktop environment" for iPads. iPad users will receive the other changes to touch functionality, such as context toolbars and context menus.
 
+include::partial$misc/admon-mobile-context-menus.adoc[]
+
 include::partial$misc/mobile-platform-compatibility.adoc[]
 
 == Configuring mobile

modules/ROOT/partials/configuration/contextmenu.adoc

@@ -21,6 +21,8 @@ To disable the editor's context menu, set this option to `+false+`.
 
 include::partial$misc/admon-ctrl-right-click.adoc[]
 
+include::partial$misc/admon-mobile-context-menus.adoc[]
+
 === Example: using `+contextmenu+`
 
 [source,js]

modules/ROOT/partials/misc/admon-mobile-context-menus.adoc

@@ -0,0 +1,3 @@
+NOTE: When a {productname} context menu is configured, a user on a mobile device can access the {productname} context menu by a _long press_. However, when a {productname} context menu is not configured but a {productname} context toolbar is, _long press_ will instead open the context toolbar. 
+
+IMPORTANT: The native context menu on a mobile device can still be accessed with a {productname} context menu configured, either by a _single tap_ on iOS, or by a _double tap_ on Android. However if the `+contextmenu_never_use_native+` option is enabled, neither _single_ nor _double tap_ will have any effect.