Update TinyMCE to 5.X.X or 6.X.X

[Presskopp]

TinyMCE Version 5.0.5 has been released on May 9, 2019, see:

​https://www.tiny.cloud/docs/release-notes/release-notes50/
​https://www.tiny.cloud/docs/changelog/

Don't we want to keep it up to date?

It could break things, though, see :

​https://www.tiny.cloud/docs/migration-from-4x/

related: #47205

[azaozz]

There are no plans (for now) to migrate to TinyMCE 5. Yep, see ​https://www.tiny.cloud/docs/migration-from-4x/.

[Presskopp]

related #47437

[archon810]

Any changes to this plan now that we're closing in on v4 EOL?

[archon810]

v5 resolves this bug #51367.

[azaozz]

Been looking at/thinking about what are the best options here for a while. The problem is that there is no official "migrate" plugin when upgrading from 4.x to 5.x like the compat3x plugin for migrating (back-compat) from 3.x to 4.x.

There are quite a few API changes in 5.x: renamed methods, deprecated functions and settings, new UI with a bit different HTML stricture and CSS classes, etc. that break backwards compatibility. See: ​https://www.tiny.cloud/docs/migration-from-4x/.

For example, editor.addButton() is perhaps the most used API call in WordPress plugins that add custom TinyMCE plugins. In TinyMCE 5.x this results in an error, see: ​https://github.com/tinymce/tinymce/blob/014d8599bb398168a98e8c9964bc29a394d75cd8/modules/tinymce/src/core/main/ts/api/Editor.ts#L1130. Changes:

TinyMCE 4:

editor.addButton('mybutton', {
  text: 'My Button',
  cmd: 'mceSave'
});

TinyMCE 5:

editor.ui.registry.addButton('myButton', {
  text: 'My Button',
  onAction: function () {
    editor.execCommand('mceSave');
  }
});

(In addition the "button settings" have changed too. There's no more support for cmd, instead a callback function is needed, and there's no onclick, has been renamed to onAction.)

What it will take to upgrade TinyMCE to version 5.x in WordPress?

As far as I see:

• Create a team of (as many of) the authors of WordPress plugins that add TinyMCE code/plugins. The main purpose of the team would be to determine and then test all needed changes to core, and perhaps to "spread the word".
• Make an in-house compat4x plugin for TinyMCE 5.x. Looks like it won't be possible to have "full" compatibility, but most cases of deprecation and renamed functions/methods can be patched/fixed.
• Make a feature plugin with the updated TinyMCE and the above compat plugin.
• Test the feature plugin. Ask "everybody" to test as much as possible to catch edge cases that can be fixed/patched.

[ajtruckle]

I am interested in this as I use TinyMCE for bbPress. I also have my own plugin that adds a couple of plugins to the toolbar functionality.

But, I am not a PHP programming. My knowledge of TinyMCE is limited. I would like to see it supported else I will have serious problems down the road with bbPress. Since TinyMCE authors are cutting off support for v4 at the end of 2020.

[ajtruckle]

Naturally many times the TinyMCE has been updated. Like when it went from 3 to 4. So is it documented where code needs changing? Someone (not me) needs to take charge of any team and direct people on what bit they can do.

It just seems like we are reinventing the wheel a bit. Someone must know what code in WordPress makes use of TinyMCE as a starter. But if not, how do we find out?

[leadsquad]

Any news with updating to TinyMCE 5?

[herrizal]

there is ​security fixes in tinyMCE v5.1.6 that maybe can help to push tinyMCE update

[ajtruckle]

I hope that support will be added. I simply am not in a position nor have the ability to upgrade it myself but I heavily rely on TinyMCE.

GutenBerg is fine for creating my pages and posts but it is by no means appropriate for something like bbPress where any user would expect u=just a nice toolbar at the top.

[datverse]

Hi,
Any info about update for TinyMCE to version 5?
GutenBerg good for build Page as a page builder, TinyMCE still good for create/update POST and DATA.
Many Plugin still use TinyMCE (WooCommerce etc).
Please update info about this.
Thanks

[souri]

An update would be much appreciated!

[SteelWagstaff]

#54348 was marked as a duplicate.

[SteelWagstaff]

Just wanted to note that recent versions of TinyMCE include several improvements that would be useful for WordPress users who continue to use the Classic Editor, including several accessibility improvements and security fixes (see ​https://www.tiny.cloud/docs/release-notes/ for specific details). Now that support for Classic Editor has been extended through the end of 2022 (​https://wordpress.org/news/2021/08/an-update-on-the-classic-editor-plugin/), it would be nice to update TinyMCE to a version which will be supported through that window (5.9 or 5.10). I recognize the difficulty of moving from 4.x to 5.x noted by @azaozz last year, particularly since there is not a compatibility plugin available for migration. Have there been any efforts since last year to convene plugin administrators or work on a migration plugin, either by Tiny or by WordPress core maintainers?

[joyously]

See this plugin, which is getting pretty close: ​https://github.com/ClassicPress-research/ClassicPress-Editor
I tested it yesterday in WP 5.2 and it worked (Classic block), although I had to use a define so it loaded correctly.
Edit: I just want to add that 5.x isn't distinguishably better, and the internal changes are large enough that the security issues were from 5.x, not from 4.x (that's just a guess). I was testing the a11y yesterday and it seems the toolbar is less accessible than before.

[ajtruckle]

Thanks for the link. I have just added a message there on GitHub.

[SteelWagstaff]

There is 'moderate severity' security vulnerability which can affect users while editing images or links for all versions of TinyMCE which prior to 5.10.0. See ​https://github.com/advisories/GHSA-r8hm-w5f7-wj39 for details.

[ajtruckle]

Interesting. I wish we could support 5.10.x asap. But I am not a website developer as such and I do not have the knowledge / skills to bring this to fruition. My bbPress website relies heavingy on TinyMCE and the WordPress Backend aldo uses TinyMCE. Gutenberg is OK for developing web pages and posts, although I do find it a little awkward at times. But it is not suitable for where TinyMCE should be used. They are not the same and serve different purposes.

I just wish that those who implemented TinyMCE support were able to keep on top of it and migrate it, or it be documented, so that those who knew how to do this would have a reference point.

Beyond me sadly.

[Presskopp]

FYI - TinyMCE 6 is coming our way:

​https://www.tiny.cloud/docs/release-notes/6.0-upcoming-changes/

[ajtruckle]

@Presskopp At first I thought you meant it was "coming our way" as in "coming to WordPress". But now I see that you are saying we just as well skip TinyMCE5 and go to TinyMCE6!

It just seems no one is going to do it. I just don't understand why it is not considered a core feature of WordPress. Our use of WordPress does not always revolve around the Gutenberg concept.

Using Gutenberg in something like bbPress is a no no.

If I knew what to do I would have done it. Sorry I can't help the team.

[joyously]

Replying to ajtruckle:

It just seems no one is going to do it. I just don't understand why it is not considered a core feature of WordPress. Our use of WordPress does not always revolve around the Gutenberg concept.

If I knew what to do I would have done it. Sorry I can't help the team.

"no one is going to do it"? Please see my previous comment with the link to the repo for the plugin that attempts the upgrade. It is mostly working, but there are problems with how to integrate the choices they made for 5.x (and 6.x). What is needed is JS expertise, but also people to test and suggest alternative UI for the compromises that have to be made for the newer versions. I've hit a brick wall and no support...

[ajtruckle]

Replying to joyously:

Replying to ajtruckle:

It just seems no one is going to do it. I just don't understand why it is not considered a core feature of WordPress. Our use of WordPress does not always revolve around the Gutenberg concept.

If I knew what to do I would have done it. Sorry I can't help the team.

"no one is going to do it"? Please see my previous comment with the link to the repo for the plugin that attempts the upgrade. It is mostly working, but there are problems with how to integrate the choices they made for 5.x (and 6.x). What is needed is JS expertise, but also people to test and suggest alternative UI for the compromises that have to be made for the newer versions. I've hit a brick wall and no support...

I did not see that link before. Sorry. I am happy to try it onmy staging version of my website for you but as you say, it needs someone with JS knowledge to come forward really.

[jkfoiztmcjeikfp]

To add to this discussion:

The included version of TinyMCE has security vulnerabilities. Making it harder to use WordPress in an enterprise context, where stuff like this is monitored.

​https://security.snyk.io/vuln/SNYK-JS-TINYMCE-1766967

Maybe there is a way to prioritize an upgrade.

[joyously]

#57374 was marked as a duplicate.

[jorbin]

#57620 was marked as a duplicate.

[jkfoiztmcjeikfp]

Are there any plans to fix the ongoing vulnerabilities included in TinyMCE and thus in WordPress?

​https://github.com/advisories/GHSA-w7jx-j77m-wp65
​https://github.com/advisories/GHSA-5h9g-x5rv-25wg
​https://github.com/advisories/GHSA-r8hm-w5f7-wj39
​https://github.com/tinymce/tinymce/security/advisories/GHSA-h96f-fc7c-9r55
​https://github.com/tinymce/tinymce/commit/09bfb1dcb176611d22a477666d8cea72cd14c3fe

How can this not be an urgent issue, that has to be fixed?

[wpsalvio]

Hello Team,

we used retire.js to validate our solution based on WordPress 5.5.11 and it showed that the application uses an outdated version (4.9.10) of tinyMCE.

As a best practice we always try to stay on (or near to) the latest version of any embedded libraries to ensure that the application has the most recent security patches.

Are there plans to update TinyMCE to a more recent (ideally the latest) version?

Is WordPress perhaps not affected by the vulnerabilities mentioned in the above posts?

Please let me know your point of view and if I am better off with a custom remediation and just patch the library on my own.

Best Regards to all and thanks for the brilliant work you do !

[wpsalvio]

Hello @azaozz ! The TinyMCE version embedded in WordPress is affected by these two CVEs.

​https://nvd.nist.gov/vuln/detail/CVE-2020-12648
​https://nvd.nist.gov/vuln/detail/CVE-2022-23494

Does this means that also WordPress is affected or the way you use the library prevents these from happening?

Thank you!

[azaozz]

Replying to wpsalvio:

The TinyMCE version embedded in WordPress is affected by these two CVEs.

​https://nvd.nist.gov/vuln/detail/CVE-2020-12648
​https://nvd.nist.gov/vuln/detail/CVE-2022-23494

Not quite :)

WordPress is not affected by ​CVE-2020-12648 as TinyMCE was updated to 4.9.11 (the fixed version) two years ago. See [49557].

I'm not able to reproduce ​CVE-2022-23494. Not even sure if it affects TinyMCE 4.x, the examples are only for 5.x and 6.x. Also not sure how that can be exploited in WP. Seems it requires a "rogue" TinyMCE plugin to be loaded which is not possible in normal operation. (If somebody has access to PHP or JS to load a TinyMCE plugin, they can completely take over "everything". No point to compromise just the editor.)

[Presskopp]

FYI:

TinyMCE 4 EOL: December 31, 2020
TinyMCE 5 EOL: April 20, 2023
TinyMCE 6 End of Community Support: March 20, 2024
TinyMCE 7 End of Community Support: May 08, 2024

TinyMCE 7.1 is the current version

see ​https://www.tiny.cloud/docs/tinymce/latest/support/

[ajtruckle]

@Presskopp
I have officially given up on this being addressed. As I result I am slowly moving my support forum features from bbPress to GitHub.

[azaozz]

I have officially given up on this being addressed.

Please see what would (roughly) be required to update TinyMCE in WP at this point: https://core.trac.wordpress.org/ticket/47218#comment:7. As the old Edit Post screen is in maintenance mode, don't think there are/will be enough people to pull this off.

However it seems quite easy to include the ​GPL version of TinyMCE in a WP plugin. Then that plugin ​will be in full control of how it is set and used. This of course will not include all the WP enhancements and modifications, but as far as I see many of them are now part of TinyMCE 7.0+.

[graham73may]

I was trying to find the TinyMCE v4 documentation, but this is no longer available on the Tiny.cloud website.

The oldest available docs version is v5.
​https://www.tiny.cloud/docs/tinymce/5/

This thread could even be renamed to Update TinyMCE to 5.X.X or 6.X.X or 7.X.X

It does feel like the core non-gutenberg editor is being left to rot?

---

ACF is a very popular plugin for custom fields, maybe if we can encourage them to support an opt-in model for newer versions of TinyMCE it would give developers a few more options?

​https://support.advancedcustomfields.com/?post_type=topic&p=172196

[Presskopp]

#63300 was marked as a duplicate.

[desrosj]

I think it may be time to close this one out as maybelater.

While it may be frustrating, updating to the latest version of TinyMCE is not something that is a good use of contributor resources at this time because:

• This effort does not fall into the project's current priorities
• TinyMCE is no longer used in the block editor
• The Classic Editor has not been the default editor for nearly 7 years.
• The level of effort to update as detailed in comment:7 is non-trivial at best.
• Default WordPress itself would not benefit from the effort to upgrade the library since it's no longer using it.

There are ways for a plugin or theme to unregister/reregister a different version of the script for use within their own plugin, if that is a requirement for them.

If there are specific individual bugs in the 4.x implementation that are causing problems in plugins that choose to use the version shipped with Core, tickets can be submitted separately for these to be investigated.

Discussion can always continue on closed tickets and this can be reopened in the future if surrounding circumstances change.