Security

A statement on security.

Contribute to this page

Q: Is TinyMCE protected against XSS vulnerabilities?

TinyMCE filters out some of the more common XSS content like scripts etc from the contents since it's fairly common that the editor is used in a single page application. However if you want extra security then we suggest passing it though server side filters like HTMLPurifier.

Q: How do I setup Content Security Policy (CSP) with tinymce?

You can use TinyMCE with a CSP header but there are a few things that needs to be enabled for the editor to function properly:

Here is a list of the directives that are required by TinyMCE and why they are required:

Directives Requirements
script-src 'self' *.tinymce.com; Scripts are sometimes loaded as script element with a src attribute.
connect-src 'self' *.tinymce.com; XMLHttpRequest are required by some services such as spellchecking.
img-src 'self' *.tinymce.com data: blob:; Images within the editor are sometimes base64 encoded or blob urls or proxied though the cloud service.
style-src 'self' 'unsafe-inline'; Styles are used on dialogs/menus to position them relative to other elements.
font-src 'self' *.tinymce.com; Fonts are used for icons in the UI and is loaded from external files.

You can use this CSP header when served from the cloud:

<meta http-equiv="Content-Security-Policy" content="default-src 'none'; script-src 'self' *.tinymce.com; connect-src 'self' *.tinymce.com; img-src 'self' *.tinymce.com data: blob:; style-src 'self' 'unsafe-inline'; font-src 'self' *.tinymce.com;" />

You can use this CSP header when served from a local domain excludes the *.tinymce.com domain:

<meta http-equiv="Content-Security-Policy" content="default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self' data: blob:; style-src 'self' 'unsafe-inline'; font-src 'self';" />

Can't find what you're looking for? Let us know.

Except as otherwise noted, the content of this page is licensed under the Creative Commons BY-NC-SA 3.0 License, and code samples are licensed under the Apache 2.0 License.