Make WordPress Core

Opened 5 years ago

Last modified 3 weeks ago

#47218 new enhancement

Update TinyMCE to 5.X.X or 6.X.X

Reported by: presskopp's profile Presskopp Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: TinyMCE Keywords: 2nd-opinion
Focuses: Cc:

Description

TinyMCE Version 5.0.5 has been released on May 9, 2019, see:

https://www.tiny.cloud/docs/release-notes/release-notes50/
https://www.tiny.cloud/docs/changelog/

Don't we want to keep it up to date?

It could break things, though, see :

https://www.tiny.cloud/docs/migration-from-4x/

related: #47205

Change History (41)

#1 @Presskopp
5 years ago

  • Component changed from General to TinyMCE

#2 @azaozz
5 years ago

  • Keywords dev-feedback removed

There are no plans (for now) to migrate to TinyMCE 5. Yep, see https://www.tiny.cloud/docs/migration-from-4x/.

Last edited 5 years ago by azaozz (previous) (diff)

This ticket was mentioned in Slack in #core-editor by modernnerd. View the logs.


4 years ago

#5 @archon810
4 years ago

Any changes to this plan now that we're closing in on v4 EOL?

#6 @archon810
4 years ago

v5 resolves this bug #51367.

Last edited 4 years ago by SergeyBiryukov (previous) (diff)

#7 @azaozz
3 years ago

Been looking at/thinking about what are the best options here for a while. The problem is that there is no official "migrate" plugin when upgrading from 4.x to 5.x like the compat3x plugin for migrating (back-compat) from 3.x to 4.x.

There are quite a few API changes in 5.x: renamed methods, deprecated functions and settings, new UI with a bit different HTML stricture and CSS classes, etc. that break backwards compatibility. See: https://www.tiny.cloud/docs/migration-from-4x/.

For example, editor.addButton() is perhaps the most used API call in WordPress plugins that add custom TinyMCE plugins. In TinyMCE 5.x this results in an error, see: https://github.com/tinymce/tinymce/blob/014d8599bb398168a98e8c9964bc29a394d75cd8/modules/tinymce/src/core/main/ts/api/Editor.ts#L1130. Changes:

TinyMCE 4:

editor.addButton('mybutton', {
  text: 'My Button',
  cmd: 'mceSave'
});

TinyMCE 5:

editor.ui.registry.addButton('myButton', {
  text: 'My Button',
  onAction: function () {
    editor.execCommand('mceSave');
  }
});

(In addition the "button settings" have changed too. There's no more support for cmd, instead a callback function is needed, and there's no onclick, has been renamed to onAction.)

What it will take to upgrade TinyMCE to version 5.x in WordPress?

As far as I see:

  • Create a team of (as many of) the authors of WordPress plugins that add TinyMCE code/plugins. The main purpose of the team would be to determine and then test all needed changes to core, and perhaps to "spread the word".
  • Make an in-house compat4x plugin for TinyMCE 5.x. Looks like it won't be possible to have "full" compatibility, but most cases of deprecation and renamed functions/methods can be patched/fixed.
  • Make a feature plugin with the updated TinyMCE and the above compat plugin.
  • Test the feature plugin. Ask "everybody" to test as much as possible to catch edge cases that can be fixed/patched.


#8 @ajtruckle
3 years ago

I am interested in this as I use TinyMCE for bbPress. I also have my own plugin that adds a couple of plugins to the toolbar functionality.

But, I am not a PHP programming. My knowledge of TinyMCE is limited. I would like to see it supported else I will have serious problems down the road with bbPress. Since TinyMCE authors are cutting off support for v4 at the end of 2020.

#9 @ajtruckle
3 years ago

Naturally many times the TinyMCE has been updated. Like when it went from 3 to 4. So is it documented where code needs changing? Someone (not me) needs to take charge of any team and direct people on what bit they can do.

It just seems like we are reinventing the wheel a bit. Someone must know what code in WordPress makes use of TinyMCE as a starter. But if not, how do we find out?

This ticket was mentioned in Slack in #core by bandonrandon. View the logs.


3 years ago

#11 @leadsquad
3 years ago

Any news with updating to TinyMCE 5?

#12 @herrizal
3 years ago

there is security fixes in tinyMCE v5.1.6 that maybe can help to push tinyMCE update

#13 @ajtruckle
3 years ago

I hope that support will be added. I simply am not in a position nor have the ability to upgrade it myself but I heavily rely on TinyMCE.

GutenBerg is fine for creating my pages and posts but it is by no means appropriate for something like bbPress where any user would expect u=just a nice toolbar at the top.

#14 @datverse
3 years ago

Hi,
Any info about update for TinyMCE to version 5?
GutenBerg good for build Page as a page builder, TinyMCE still good for create/update POST and DATA.
Many Plugin still use TinyMCE (WooCommerce etc).
Please update info about this.
Thanks

#15 @souri
3 years ago

An update would be much appreciated!

#16 @SteelWagstaff
3 years ago

#54348 was marked as a duplicate.

#17 @SteelWagstaff
3 years ago

Just wanted to note that recent versions of TinyMCE include several improvements that would be useful for WordPress users who continue to use the Classic Editor, including several accessibility improvements and security fixes (see https://www.tiny.cloud/docs/release-notes/ for specific details). Now that support for Classic Editor has been extended through the end of 2022 (https://wordpress.org/news/2021/08/an-update-on-the-classic-editor-plugin/), it would be nice to update TinyMCE to a version which will be supported through that window (5.9 or 5.10). I recognize the difficulty of moving from 4.x to 5.x noted by @azaozz last year, particularly since there is not a compatibility plugin available for migration. Have there been any efforts since last year to convene plugin administrators or work on a migration plugin, either by Tiny or by WordPress core maintainers?

#18 @joyously
3 years ago

See this plugin, which is getting pretty close: https://github.com/ClassicPress-research/ClassicPress-Editor
I tested it yesterday in WP 5.2 and it worked (Classic block), although I had to use a define so it loaded correctly.
Edit: I just want to add that 5.x isn't distinguishably better, and the internal changes are large enough that the security issues were from 5.x, not from 4.x (that's just a guess). I was testing the a11y yesterday and it seems the toolbar is less accessible than before.

Last edited 3 years ago by joyously (previous) (diff)

#19 @ajtruckle
3 years ago

Thanks for the link. I have just added a message there on GitHub.

#20 @SteelWagstaff
3 years ago

There is 'moderate severity' security vulnerability which can affect users while editing images or links for all versions of TinyMCE which prior to 5.10.0. See https://github.com/advisories/GHSA-r8hm-w5f7-wj39 for details.

#21 @ajtruckle
3 years ago

Interesting. I wish we could support 5.10.x asap. But I am not a website developer as such and I do not have the knowledge / skills to bring this to fruition. My bbPress website relies heavingy on TinyMCE and the WordPress Backend aldo uses TinyMCE. Gitenberg is OK for developing web pages and posts, although I do find it a little awkward at times. But it is not suitable for where TinyMCE should be used. They are not the same and serve different purposes.

I just wish that those who implemented TinyMCE support were able to keep on top of it and migrate it, or it be documented, so that those who knew how to do this would have a reference point.

Beyond me sadly.

Version 0, edited 3 years ago by ajtruckle (next)

#23 follow-up: @ajtruckle
2 years ago

@Presskopp At first I thought you meant it was "coming our way" as in "coming to WordPress". But now I see that you are saying we just as well skip TinyMCE5 and go to TinyMCE6!

It just seems no one is going to do it. I just don't understand why it is not considered a core feature of WordPress. Our use of WordPress does not always revolve around the Gutenberg concept.

Using Gutenberg in something like bbPress is a no no.

If I knew what to do I would have done it. Sorry I can't help the team.

#24 in reply to: ↑ 23 ; follow-up: @joyously
2 years ago

Replying to ajtruckle:

It just seems no one is going to do it. I just don't understand why it is not considered a core feature of WordPress. Our use of WordPress does not always revolve around the Gutenberg concept.

If I knew what to do I would have done it. Sorry I can't help the team.

"no one is going to do it"? Please see my previous comment with the link to the repo for the plugin that attempts the upgrade. It is mostly working, but there are problems with how to integrate the choices they made for 5.x (and 6.x). What is needed is JS expertise, but also people to test and suggest alternative UI for the compromises that have to be made for the newer versions. I've hit a brick wall and no support...

#25 in reply to: ↑ 24 @ajtruckle
2 years ago

Replying to joyously:

Replying to ajtruckle:

It just seems no one is going to do it. I just don't understand why it is not considered a core feature of WordPress. Our use of WordPress does not always revolve around the Gutenberg concept.

If I knew what to do I would have done it. Sorry I can't help the team.

"no one is going to do it"? Please see my previous comment with the link to the repo for the plugin that attempts the upgrade. It is mostly working, but there are problems with how to integrate the choices they made for 5.x (and 6.x). What is needed is JS expertise, but also people to test and suggest alternative UI for the compromises that have to be made for the newer versions. I've hit a brick wall and no support...

I did not see that link before. Sorry. I am happy to try it onmy staging version of my website for you but as you say, it needs someone with JS knowledge to come forward really.

#26 @Presskopp
2 years ago

  • Summary changed from Update TinyMCE to 5.X.X to Update TinyMCE to 5.X.X or 6.X.X

This ticket was mentioned in Slack in #core by sergey. View the logs.


23 months ago

This ticket was mentioned in Slack in #core-editor by azaozz. View the logs.


23 months ago

#29 @jkfoiztmcjeikfp
22 months ago

To add to this discussion:

The included version of TinyMCE has security vulnerabilities. Making it harder to use WordPress in an enterprise context, where stuff like this is monitored.

https://security.snyk.io/vuln/SNYK-JS-TINYMCE-1766967

Maybe there is a way to prioritize an upgrade.

#30 @joyously
18 months ago

#57374 was marked as a duplicate.

#31 @jorbin
17 months ago

#57620 was marked as a duplicate.

#33 @wpsalvio
15 months ago

Hello Team,

we used retire.js to validate our solution based on WordPress 5.5.11 and it showed that the application uses an outdated version (4.9.10) of tinyMCE.

As a best practice we always try to stay on (or near to) the latest version of any embedded libraries to ensure that the application has the most recent security patches.

Are there plans to update TinyMCE to a more recent (ideally the latest) version?

Is WordPress perhaps not affected by the vulnerabilities mentioned in the above posts?

Please let me know your point of view and if I am better off with a custom remediation and just patch the library on my own.

Best Regards to all and thanks for the brilliant work you do !

#34 follow-up: @wpsalvio
15 months ago

Hello @azaozz ! The TinyMCE version embedded in WordPress is affected by these two CVEs.

https://nvd.nist.gov/vuln/detail/CVE-2020-12648
https://nvd.nist.gov/vuln/detail/CVE-2022-23494

Does this means that also WordPress is affected or the way you use the library prevents these from happening?

Thank you!

#35 in reply to: ↑ 34 @azaozz
15 months ago

Replying to wpsalvio:

The TinyMCE version embedded in WordPress is affected by these two CVEs.

https://nvd.nist.gov/vuln/detail/CVE-2020-12648
https://nvd.nist.gov/vuln/detail/CVE-2022-23494

Not quite :)

WordPress is not affected by CVE-2020-12648 as TinyMCE was updated to 4.9.11 (the fixed version) two years ago. See [49557].

I'm not able to reproduce CVE-2022-23494. Not even sure if it affects TinyMCE 4.x, the examples are only for 5.x and 6.x. Also not sure how that can be exploited in WP. Seems it requires a "rogue" TinyMCE plugin to be loaded which is not possible in normal operation. (If somebody has access to PHP or JS to load a TinyMCE plugin, they can completely take over "everything". No point to compromise just the editor.)

Last edited 15 months ago by azaozz (previous) (diff)

This ticket was mentioned in Slack in #accessibility by steelwagstaff. View the logs.


9 months ago

This ticket was mentioned in Slack in #core by swissspidy. View the logs.


3 months ago

#38 @Presskopp
3 weeks ago

FYI:

TinyMCE 4 EOL: December 31, 2020
TinyMCE 5 EOL: April 20, 2023
TinyMCE 6 End of Community Support: March 20, 2024
TinyMCE 7 End of Community Support: May 08, 2024

TinyMCE 7.1 is the current version

see https://www.tiny.cloud/docs/tinymce/latest/support/

#39 @ajtruckle
3 weeks ago

@Presskopp
I have officially given up on this being addressed. As I result I am slowly moving my support forum features from bbPress to GitHub.

This ticket was mentioned in Slack in #core by presskopp. View the logs.


3 weeks ago

This ticket was mentioned in Slack in #core by azaozz. View the logs.


3 weeks ago

Note: See TracTickets for help on using tickets.