Opened 4 years ago
Last modified 2 months ago
#47218 new enhancement
Update TinyMCE to 5.X.X or 6.X.X
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Awaiting Review | Priority: | normal |
| Severity: | normal | Version: | |
| Component: | TinyMCE | Keywords: | 2nd-opinion |
| Focuses: | Cc: |
Description
TinyMCE Version 5.0.5 has been released on May 9, 2019, see:
https://www.tiny.cloud/docs/release-notes/release-notes50/
https://www.tiny.cloud/docs/changelog/
Don't we want to keep it up to date?
It could break things, though, see :
https://www.tiny.cloud/docs/migration-from-4x/
related: #47205
Change History (35)
This ticket was mentioned in Slack in #core-editor by modernnerd. View the logs.
3 years ago
#7
@
2 years ago
Been looking at/thinking about what are the best options here for a while. The problem is that there is no official "migrate" plugin when upgrading from 4.x to 5.x like the compat3x plugin for migrating (back-compat) from 3.x to 4.x.
There are quite a few API changes in 5.x: renamed methods, deprecated functions and settings, new UI with a bit different HTML stricture and CSS classes, etc. that break backwards compatibility. See: https://www.tiny.cloud/docs/migration-from-4x/.
For example, editor.addButton() is perhaps the most used API call in WordPress plugins that add custom TinyMCE plugins. In TinyMCE 5.x this results in an error, see: https://github.com/tinymce/tinymce/blob/014d8599bb398168a98e8c9964bc29a394d75cd8/modules/tinymce/src/core/main/ts/api/Editor.ts#L1130. Changes:
TinyMCE 4:
editor.addButton('mybutton', {
text: 'My Button',
cmd: 'mceSave'
});
TinyMCE 5:
editor.ui.registry.addButton('myButton', {
text: 'My Button',
onAction: function () {
editor.execCommand('mceSave');
}
});
(In addition the "button settings" have changed too. There's no more support for cmd, instead a callback function is needed, and there's no onclick, has been renamed to onAction.)
What it will take to upgrade TinyMCE to version 5.x in WordPress?
As far as I see:
- Create a team of (as many of) the authors of WordPress plugins that add TinyMCE code/plugins. The main purpose of the team would be to determine and then test all needed changes to core, and perhaps to "spread the word".
- Make an in-house
compat4xplugin for TinyMCE 5.x. Looks like it won't be possible to have "full" compatibility, but most cases of deprecation and renamed functions/methods can be patched/fixed. - Make a feature plugin with the updated TinyMCE and the above compat plugin.
- Test the feature plugin. Ask "everybody" to test as much as possible to catch edge cases that can be fixed/patched.
#8
@
2 years ago
I am interested in this as I use TinyMCE for bbPress. I also have my own plugin that adds a couple of plugins to the toolbar functionality.
But, I am not a PHP programming. My knowledge of TinyMCE is limited. I would like to see it supported else I will have serious problems down the road with bbPress. Since TinyMCE authors are cutting off support for v4 at the end of 2020.
#9
@
2 years ago
Naturally many times the TinyMCE has been updated. Like when it went from 3 to 4. So is it documented where code needs changing? Someone (not me) needs to take charge of any team and direct people on what bit they can do.
It just seems like we are reinventing the wheel a bit. Someone must know what code in WordPress makes use of TinyMCE as a starter. But if not, how do we find out?
This ticket was mentioned in Slack in #core by bandonrandon. View the logs.
2 years ago
#12
@
2 years ago
there is security fixes in tinyMCE v5.1.6 that maybe can help to push tinyMCE update
#13
@
2 years ago
I hope that support will be added. I simply am not in a position nor have the ability to upgrade it myself but I heavily rely on TinyMCE.
GutenBerg is fine for creating my pages and posts but it is by no means appropriate for something like bbPress where any user would expect u=just a nice toolbar at the top.
#14
@
2 years ago
Hi,
Any info about update for TinyMCE to version 5?
GutenBerg good for build Page as a page builder, TinyMCE still good for create/update POST and DATA.
Many Plugin still use TinyMCE (WooCommerce etc).
Please update info about this.
Thanks
#17
@
19 months ago
Just wanted to note that recent versions of TinyMCE include several improvements that would be useful for WordPress users who continue to use the Classic Editor, including several accessibility improvements and security fixes (see https://www.tiny.cloud/docs/release-notes/ for specific details). Now that support for Classic Editor has been extended through the end of 2022 (https://wordpress.org/news/2021/08/an-update-on-the-classic-editor-plugin/), it would be nice to update TinyMCE to a version which will be supported through that window (5.9 or 5.10). I recognize the difficulty of moving from 4.x to 5.x noted by @azaozz last year, particularly since there is not a compatibility plugin available for migration. Have there been any efforts since last year to convene plugin administrators or work on a migration plugin, either by Tiny or by WordPress core maintainers?
#18
@
19 months ago
See this plugin, which is getting pretty close: https://github.com/ClassicPress-research/ClassicPress-Editor
I tested it yesterday in WP 5.2 and it worked (Classic block), although I had to use a define so it loaded correctly.
Edit: I just want to add that 5.x isn't distinguishably better, and the internal changes are large enough that the security issues were from 5.x, not from 4.x (that's just a guess). I was testing the a11y yesterday and it seems the toolbar is less accessible than before.
#20
@
19 months ago
There is 'moderate severity' security vulnerability which can affect users while editing images or links for all versions of TinyMCE which prior to 5.10.0. See https://github.com/advisories/GHSA-r8hm-w5f7-wj39 for details.
#21
@
19 months ago
Interesting. I wish we could support 5.10.x asap. But I am not a website developer as such and I do not have the knowledge / skills to bring this to fruition. My bbPress website relies heavingy on TinyMCE and the WordPress Backend aldo uses TinyMCE. Gutenberg is OK for developing web pages and posts, although I do find it a little awkward at times. But it is not suitable for where TinyMCE should be used. They are not the same and serve different purposes.
I just wish that those who implemented TinyMCE support were able to keep on top of it and migrate it, or it be documented, so that those who knew how to do this would have a reference point.
Beyond me sadly.
#22
@
16 months ago
FYI - TinyMCE 6 is coming our way:
https://www.tiny.cloud/docs/release-notes/6.0-upcoming-changes/
#23
follow-up:
↓ 24
@
16 months ago
@Presskopp At first I thought you meant it was "coming our way" as in "coming to WordPress". But now I see that you are saying we just as well skip TinyMCE5 and go to TinyMCE6!
It just seems no one is going to do it. I just don't understand why it is not considered a core feature of WordPress. Our use of WordPress does not always revolve around the Gutenberg concept.
Using Gutenberg in something like bbPress is a no no.
If I knew what to do I would have done it. Sorry I can't help the team.
#24
in reply to:
↑ 23
;
follow-up:
↓ 25
@
16 months ago
Replying to ajtruckle:
It just seems no one is going to do it. I just don't understand why it is not considered a core feature of WordPress. Our use of WordPress does not always revolve around the Gutenberg concept.
If I knew what to do I would have done it. Sorry I can't help the team.
"no one is going to do it"? Please see my previous comment with the link to the repo for the plugin that attempts the upgrade. It is mostly working, but there are problems with how to integrate the choices they made for 5.x (and 6.x). What is needed is JS expertise, but also people to test and suggest alternative UI for the compromises that have to be made for the newer versions. I've hit a brick wall and no support...
#25
in reply to:
↑ 24
@
16 months ago
Replying to joyously:
Replying to ajtruckle:
It just seems no one is going to do it. I just don't understand why it is not considered a core feature of WordPress. Our use of WordPress does not always revolve around the Gutenberg concept.
If I knew what to do I would have done it. Sorry I can't help the team.
"no one is going to do it"? Please see my previous comment with the link to the repo for the plugin that attempts the upgrade. It is mostly working, but there are problems with how to integrate the choices they made for 5.x (and 6.x). What is needed is JS expertise, but also people to test and suggest alternative UI for the compromises that have to be made for the newer versions. I've hit a brick wall and no support...
I did not see that link before. Sorry. I am happy to try it onmy staging version of my website for you but as you say, it needs someone with JS knowledge to come forward really.
#26
@
16 months ago
- Summary changed from Update TinyMCE to 5.X.X to Update TinyMCE to 5.X.X or 6.X.X
This ticket was mentioned in Slack in #core by sergey. View the logs.
10 months ago
This ticket was mentioned in Slack in #core-editor by azaozz. View the logs.
10 months ago
#29
@
9 months ago
To add to this discussion:
The included version of TinyMCE has security vulnerabilities. Making it harder to use WordPress in an enterprise context, where stuff like this is monitored.
https://security.snyk.io/vuln/SNYK-JS-TINYMCE-1766967
Maybe there is a way to prioritize an upgrade.
#32
@
3 months ago
Are there any plans to fix the ongoing vulnerabilities included in TinyMCE and thus in WordPress?
https://github.com/advisories/GHSA-w7jx-j77m-wp65
https://github.com/advisories/GHSA-5h9g-x5rv-25wg
https://github.com/advisories/GHSA-r8hm-w5f7-wj39
https://github.com/tinymce/tinymce/security/advisories/GHSA-h96f-fc7c-9r55
https://github.com/tinymce/tinymce/commit/09bfb1dcb176611d22a477666d8cea72cd14c3fe
How can this not be an urgent issue, that has to be fixed?
#33
@
2 months ago
Hello Team,
we used retire.js to validate our solution based on WordPress 5.5.11 and it showed that the application uses an outdated version (4.9.10) of tinyMCE.
As a best practice we always try to stay on (or near to) the latest version of any embedded libraries to ensure that the application has the most recent security patches.
Are there plans to update TinyMCE to a more recent (ideally the latest) version?
Is WordPress perhaps not affected by the vulnerabilities mentioned in the above posts?
Please let me know your point of view and if I am better off with a custom remediation and just patch the library on my own.
Best Regards to all and thanks for the brilliant work you do !
#34
follow-up:
↓ 35
@
2 months ago
Hello @azaozz ! The TinyMCE version embedded in WordPress is affected by these two CVEs.
https://nvd.nist.gov/vuln/detail/CVE-2020-12648
https://nvd.nist.gov/vuln/detail/CVE-2022-23494
Does this means that also WordPress is affected or the way you use the library prevents these from happening?
Thank you!
#35
in reply to:
↑ 34
@
2 months ago
Replying to wpsalvio:
The TinyMCE version embedded in WordPress is affected by these two CVEs.
https://nvd.nist.gov/vuln/detail/CVE-2020-12648
https://nvd.nist.gov/vuln/detail/CVE-2022-23494
Not quite :)
WordPress is not affected by CVE-2020-12648 as TinyMCE was updated to 4.9.11 (the fixed version) two years ago. See [49557].
I'm not able to reproduce CVE-2022-23494. Not even sure if it affects TinyMCE 4.x, the examples are only for 5.x and 6.x. Also not sure how that can be exploited in WP. Seems it requires a "rogue" TinyMCE plugin to be loaded which is not possible in normal operation. (If somebody has access to PHP or JS to load a TinyMCE plugin, they can completely take over "everything". No point to compromise just the editor.)
There are no plans (for now) to migrate to TinyMCE 5. Yep, see https://www.tiny.cloud/docs/migration-from-4x/.