We have just had a PEN test carried out on one of our customer sites and they have found issues with version 4 of Tinymce in Umbraco version 8 and I
assume the same issues also found in the version 10 sites we have.
Is there any plans to update version 10 LTS to the later version of Tinymce where the bugs not present.
It seems a bit over the top to have to upgrade a new version 10 site 10 Umbraco 11+ to fix the issue.
IS version 10 ever going to get Tinymce Version 5 or 6????
TinyMCE was upgraded to v6 in Umbraco 11 and the rich text editor documentation provides links for guides on how to upgrade it yourself. So perhaps that's an option for you?
I doubt Umbraco 10 will receive any updates to it if it hasn't already as its security phase support ends in June of this year and it's EoL next year.
I feel your pain, having to justify and maintain old sites is a thorny issue, particularly when it comes to security!
Remember as much as your running old Umbraco software, the bare metal (server software) you're running it on is likely ageing as well. I would recommend building in an update strategy to your overall offering.
We've now migrated all of our "legacy" sites, pre .net core. Our strategy focuses on Azure's web services which sweeps away the issue of ageing server platforms and allows us to work on and between LTS releases of Umbraco on .net core.
Bear in mind LTS is now officially on Umbraco 13, which would solve security issues with TinyMCE. While Umbraco 10 is scheduled for security fixes until 2025, I feel the issue of TinyMCE specifically will only be overcome by moving to the next LTS (Umbraco 13).
If you're looking for a relatively fast and pain free route to Umbraco 13, may I suggest the excellent uSync and uSync Migrations. It generally worked great for us, but bear in mind you may need to write migrators if any of your propertytypes/datatypes are out of the ordinary.
Tinymce version 4.9.X (Securely Issue)
We have just had a PEN test carried out on one of our customer sites and they have found issues with version 4 of Tinymce in Umbraco version 8 and I assume the same issues also found in the version 10 sites we have.
Is there any plans to update version 10 LTS to the later version of Tinymce where the bugs not present.
It seems a bit over the top to have to upgrade a new version 10 site 10 Umbraco 11+ to fix the issue.
IS version 10 ever going to get Tinymce Version 5 or 6????
Bug CVEs CVE-2023-26116 CVE-2023-48219 CVE-2023-4581
TinyMCE was upgraded to v6 in Umbraco 11 and the rich text editor documentation provides links for guides on how to upgrade it yourself. So perhaps that's an option for you?
I doubt Umbraco 10 will receive any updates to it if it hasn't already as its security phase support ends in June of this year and it's EoL next year.
Hi Darren
I feel your pain, having to justify and maintain old sites is a thorny issue, particularly when it comes to security!
Remember as much as your running old Umbraco software, the bare metal (server software) you're running it on is likely ageing as well. I would recommend building in an update strategy to your overall offering.
We've now migrated all of our "legacy" sites, pre .net core. Our strategy focuses on Azure's web services which sweeps away the issue of ageing server platforms and allows us to work on and between LTS releases of Umbraco on .net core.
Bear in mind LTS is now officially on Umbraco 13, which would solve security issues with TinyMCE. While Umbraco 10 is scheduled for security fixes until 2025, I feel the issue of TinyMCE specifically will only be overcome by moving to the next LTS (Umbraco 13).
If you're looking for a relatively fast and pain free route to Umbraco 13, may I suggest the excellent uSync and uSync Migrations. It generally worked great for us, but bear in mind you may need to write migrators if any of your propertytypes/datatypes are out of the ordinary.
is working on a reply...