[Security] Bump tinymce from 5.5.1 to 5.7.1

[dependabot-preview]

Bumps tinymce from 5.5.1 to 5.7.1. This update includes a security fix.

Vulnerabilities fixed

Sourced from The GitHub Security Advisory Database.

Regex denial of service vulnerability in codesample plugin

Impact

A regex denial of service (ReDoS) vulnerability was discovered in a dependency of the codesample plugin. The vulnerability allowed poorly formed ruby code samples to lock up the browser while performing syntax highlighting. This impacts users of the codesample plugin using TinyMCE 5.5.1 or lower.

Patches

This vulnerability has been patched in TinyMCE 5.6.0 by upgrading to a version of the dependency without the vulnerability.

Workarounds

To work around this vulnerability, either:

• Upgrade to TinyMCE 5.6.0 or higher
• Disable the codesample plugin
• Disable ruby code samples using the codesample_languages setting
• Override the PrismJS syntax highlighter to version 1.21.0 or higher using the codesample_global_prismjs setting

Acknowledgements

Tiny Technologies would like to thank Erik Krogh Kristensen at GitHub for discovering this vulnerability.

References

https://www.tiny.cloud/docs/release-notes/release-notes56/#securityfixes

For more information

... (truncated)

Affected versions: < 5.6.0

Changelog

Sourced from tinymce's changelog.

Version 5.7.1 (2021-03-17) Fixed the help dialog incorrectly linking to the changelog of TinyMCE 4 instead of TinyMCE 5 #TINY-7031 Fixed a bug where error messages were displayed incorrectly in the image dialog #TINY-7099 Fixed an issue where URLs were not correctly filtered in some cases #TINY-7025 Fixed a bug where context menu items with names that contained uppercase characters were not displayed #TINY-7072 Fixed context menu items lacking support for the disabled and shortcut properties #TINY-7073 Fixed a regression where the width and height were incorrectly set when embedding content using the media dialog #TINY-7074 Version 5.7.0 (2021-02-10) Added IPv6 address support to the URI API. Patch contributed by dev7355608 #GH-4409 Added new structure and style properties to the TableModified event to indicate what kinds of modifications were made #TINY-6643 Added video and audio live embed support for the media plugin #TINY-6229 Added the ability to resize video and iframe media elements #TINY-6229 Added a new font_css setting for adding fonts to both the editor and the parent document #TINY-6199 Added a new ImageUploader API to simplify uploading image data to the configured images_upload_url or images_upload_handler #TINY-4601 Added an Oxide variable to define the container background color in fullscreen mode #TINY-6903 Added Oxide variables for setting the toolbar background colors for inline and sticky toolbars #TINY-6009 Added a new AfterProgressState event that is fired after editor.setProgressState calls complete #TINY-6686 Added support for table_column_resizing when inserting or deleting columns #TINY-6711 Changed table and table column copy behavior to retain an appropriate width when pasted #TINY-6664 Changed the lists plugin to apply list styles to all text blocks within a selection #TINY-3755 Changed the advlist plugin to log a console error message when the list plugin isn't enabled #TINY-6585 Changed the z-index of the setProgressState(true) throbber so it does not hide notifications #TINY-6686 Changed the type signature for editor.selection.getRng() incorrectly returning null #TINY-6843 Changed some SaxParser regular expressions to improve performance #TINY-6823 Changed editor.setProgressState(true) to close any open popups #TINY-6686 Fixed codesample highlighting performance issues for some languages #TINY-6996 Fixed an issue where cell widths were lost when merging table cells #TINY-6901 Fixed col elements incorrectly transformed to th elements when converting columns to header columns #TINY-6715 Fixed a number of table operations not working when selecting 2 table cells on Mozilla Firefox #TINY-3897 Fixed a memory leak by backporting an upstream Sizzle fix #TINY-6859 Fixed table width style was removed when copying #TINY-6664 Fixed focus lost while typing in the charmap or emoticons dialogs when the editor is rendered in a shadow root #TINY-6904 Fixed corruption of base64 URLs used in style attributes when parsing HTML #TINY-6828 Fixed the order of CSS precedence of content_style and content_css in the preview and template plugins. content_style now has precedence #TINY-6529 Fixed an issue where the image dialog tried to calculate image dimensions for an empty image URL #TINY-6611 Fixed an issue where scope attributes on table cells would not change as expected when merging or unmerging cells #TINY-6486 Fixed the plugin documentation links in the help plugin #DOC-703 Fixed events bound using DOMUtils not returning the correct result for isDefaultPrevented in some cases #TINY-6834 Fixed the "Dropped file type is not supported" notification incorrectly showing when using an inline editor #TINY-6834 Fixed an issue with external styles bleeding into TinyMCE #TINY-6735 Fixed an issue where parsing malformed comments could cause an infinite loop #TINY-6864 Fixed incorrect return types on editor.selection.moveToBookmark #TINY-6504 Fixed the type signature for editor.selection.setCursorLocation() incorrectly allowing a node with no offset #TINY-6843 Fixed incorrect behavior when editor is destroyed while loading stylesheets #INT-2282 Fixed figure elements incorrectly splitting from a valid parent element when editing the image within #TINY-6592 Fixed inserting multiple rows or columns in a table cloning from the incorrect source row or column #TINY-6906 Fixed an issue where new lines were not scrolled into view when pressing Shift+Enter or Shift+Return #TINY-6964 Fixed an issue where list elements would not be removed when outdenting using the Enter or Return key #TINY-5974 Fixed an issue where file extensions with uppercase characters were treated as invalid #TINY-6940 Fixed dialog block messages were not passed through TinyMCE's translation system #TINY-6971

... (truncated)

Commits

• 8273fb3 Added version 5.7.1 release.
• 729e1f7 Added version 5.7.0 release.
• 310051d Added version 5.6.2 release.
• f78490b Added version 5.6.1 release.
• 933ded7 Added version 5.6.0 release.
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)

[dependabot-preview]

Superseded by #154.