From e8dd96cf42cb7ee288255bd0fea79da4be4a2770 Mon Sep 17 00:00:00 2001 From: Karl Kemister-Sheppard Date: Tue, 10 Feb 2026 12:57:12 +1000 Subject: [PATCH 1/2] DOC-3364: TinyMCE 7.9.2 Documentation and Community Changelog. --- modules/ROOT/nav.adoc | 13 +- modules/ROOT/pages/7.9.2-release-notes.adoc | 178 +++--------------- modules/ROOT/pages/changelog.adoc | 14 +- modules/ROOT/pages/content-filtering.adoc | 2 + .../configuration/allow_html_in_comments.adoc | 25 +++ .../partials/misc/supported-versions.adoc | 2 +- 6 files changed, 62 insertions(+), 172 deletions(-) create mode 100644 modules/ROOT/partials/configuration/allow_html_in_comments.adoc diff --git a/modules/ROOT/nav.adoc b/modules/ROOT/nav.adoc index 5d304ccd49..e37ba743ac 100644 --- a/modules/ROOT/nav.adoc +++ b/modules/ROOT/nav.adoc @@ -419,20 +419,9 @@ ** xref:release-notes.adoc[Release notes for {productname}] *** {productname} 7.9.2 **** xref:7.9.2-release-notes.adoc#overview[Overview] -**** xref:7.9.2-release-notes.adoc#new-premium-plugin[New Premium Plugin] -**** xref:7.9.2-release-notes.adoc#new-open-source-plugin[New Open Source Plugin] -**** xref:7.9.2-release-notes.adoc#accompanying-premium-plugin-changes[Accompanying Premium Plugin changes] -**** xref:7.9.2-release-notes.adoc#accompanying-premium-plugin-end-of-life-announcement[Accompanying Premium Plugin end-of-life announcement] -**** xref:7.9.2-release-notes.adoc#accompanying-open-source-plugin-end-of-life-announcement[Accompanying Open Source Plugin end-of-life announcement] -**** xref:7.9.2-release-notes.adoc#accompanying-enhanced-skins-and-icon-packs-changes[Accompanying Enhanced Skins & Icon Packs changes] -**** xref:7.9.2-release-notes.adoc#improvements[Improvements] **** xref:7.9.2-release-notes.adoc#additions[Additions] -**** xref:7.9.2-release-notes.adoc#changes[Changes] -**** xref:7.9.2-release-notes.adoc#removed[Removed] -**** xref:7.9.2-release-notes.adoc#bug-fixes[Bug fixes] -**** xref:7.9.2-release-notes.adoc#security-fixes[Security fixes] **** xref:7.9.2-release-notes.adoc#deprecated[Deprecated] -**** xref:7.9.2-release-notes.adoc#known-issues[Known issues] +**** xref:7.9.2-release-notes.adoc#security-fixes[Security fixes] *** {productname} 7.9.0 **** xref:7.9.0-release-notes.adoc#overview[Overview] **** xref:7.9.0-release-notes.adoc#accompanying-premium-self-hosted-server-side-component-changes[Accompanying Premium self-hosted server-side component changes] diff --git a/modules/ROOT/pages/7.9.2-release-notes.adoc b/modules/ROOT/pages/7.9.2-release-notes.adoc index 75d6b952a6..3768f97d07 100644 --- a/modules/ROOT/pages/7.9.2-release-notes.adoc +++ b/modules/ROOT/pages/7.9.2-release-notes.adoc @@ -11,185 +11,49 @@ include::partial$misc/admon-releasenotes-for-stable.adoc[] [[overview]] == Overview -{productname} {release-version} was released for {enterpriseversion} and {cloudname} on Monday, November 2^nd^, 2026. These release notes provide an overview of the changes for {productname} {release-version}, including: - -// Remove sections and section boilerplates as necessary. -// Pluralise as necessary or remove the placeholder plural marker. -* xref:new-premium-plugin[New Premium plugin] -* xref:new-open-source-plugin[New Open Source plugin] -* xref:accompanying-premium-plugin-changes[Accompanying Premium plugin changes] -* xref:accompanying-premium-plugin-end-of-life-announcement[Accompanying Premium plugin end-of-life announcement] -* xref:accompanying-open-source-plugin-end-of-life-announcement[Accompanying open source plugin end-of-life announcement] -* xref:accompanying-enhanced-skins-and-icon-packs-changes[Accompanying Enhanced Skins & Icon Packs changes] -* xref:improvements[Improvements] +{productname} {release-version} was released for {enterpriseversion} and {cloudname} on Wednesday, February 11^th^, 2026. These release notes provide an overview of the changes for {productname} {release-version}, including: + * xref:additions[Additions] -* xref:changes[Changes] -* xref:bug-fixes[Bug fixes] -* xref:security-fixes[Security fixes] * xref:deprecated[Deprecated] -* xref:known-issues[Known issues] - - -[[new-premium-plugin]] -== New Premium plugin - -The following new Premium plugin was released alongside {productname} {release-version}. - -=== - -The new Premium plugin, **** // description here. - -For information on the **** plugin, see xref:.adoc[]. - - -[[new-open-source-plugin]] -== New Open Source plugin - -The following new Open Source plugin was released alongside {productname} {release-version}. - -=== - -The new open source plugin, **** // description here. - -For information on the **** plugin, see xref:.adoc[]. - - -[[accompanying-premium-plugin-changes]] -== Accompanying Premium plugin changes - -The following premium plugin updates were released alongside {productname} {release-version}. - -=== - -The {productname} {release-version} release includes an accompanying release of the **** premium plugin. - -**** includes the following . - -==== - -// CCFR here. - -For information on the **** plugin, see: xref:.adoc[]. - - -[[accompanying-premium-plugin-end-of-life-announcement]] -== Accompanying Premium plugin end-of-life announcement - -The following Premium plugin has been announced as reaching its end-of-life: - -=== - -{productname}'s xref:.adoc[] plugin will be deactivated on
, , and is no longer available for purchase. - - -[[accompanying-open-source-plugin-end-of-life-announcement]] -== Accompanying open source plugin end-of-life announcement - -The following open source plugin has been announced as reaching its end-of-life: - -=== - -{productname}'s xref:.adoc[] plugin will be deactivated on
, , and is no longer available for purchase. - - -[[accompanying-enhanced-skins-and-icon-packs-changes]] -== Accompanying Enhanced Skins & Icon Packs changes - -The {productname} {release-version} release includes an accompanying release of the **Enhanced Skins & Icon Packs**. - -=== Enhanced Skins & Icon Packs - -The **Enhanced Skins & Icon Packs** release includes the following updates: - -The **Enhanced Skins & Icon Packs** were rebuilt to pull in the changes also incorporated into the default {productname} {release-version} skin, Oxide. - -For information on using Enhanced Skins & Icon Packs, see: xref:enhanced-skins-and-icon-packs.adoc[Enhanced Skins & Icon Packs]. - - -[[improvements]] -== Improvements - -{productname} {release-version} also includes the following improvement: - -=== -// #TINY-vwxyz1 - -// CCFR here. +* xref:security-fixes[Security fixes] [[additions]] == Additions -{productname} {release-version} also includes the following addition: - -=== -// #TINY-vwxyz1 - -// CCFR here. - - -[[changes]] -== Changes - -{productname} {release-version} also includes the following change: +{productname} {release-version} also includes the following addition: -=== -// #TINY-vwxyz1 +=== Introduced `allow_html_in_comments` option -// CCFR here. +Introduced `allow_html_in_comments` option (boolean, default: `true`) to control handling of HTML-like syntax in comment nodes. This option will default to `false` in TinyMCE 8.x. +For information on the `allow_html_in_comments` option, see: xref:content-filtering.adoc#allow-html-in-comments[allow_html_in_comments]. -[[removed]] -== Removed -{productname} {release-version} also includes the following removal: - -=== -// #TINY-vwxyz1 - -// CCFR here. - - -[[bug-fixes]] -== Bug fixes +[[deprecated]] +== Deprecated -{productname} {release-version} also includes the following bug fix: +{productname} {release-version} includes the following deprecation: -=== -// #TINY-vwxyz1 +=== The default value of `allow_html_in_comments` will change in TinyMCE 8.x -// CCFR here. +The default value of `allow_html_in_comments` will change from `true` to `false` in TinyMCE 8.x. [[security-fixes]] == Security fixes -{productname} {release-version} includes : - -=== -// #TINY-vwxyz1 - -// CCFR here. - - -[[deprecated]] -== Deprecated - -{productname} {release-version} includes the following deprecation: - -=== The `` configuration property, ``, has been deprecated - -// placeholder here. - +{productname} {release-version} includes fixes for the following security issues: -[[known-issues]] -== Known issues +=== Enhanced content sanitization -This section describes issues that users of {productname} {release-version} may encounter and possible workarounds for these issues. +Updated dependencies and parsing logic for enhanced content sanitization. HTML-like content in comments and certain legacy patterns are now sanitized more strictly when `xss_sanitization` is enabled (default). The introduced `allow_html_in_comments` option provides control over comment node sanitization behavior. -There known issue in {productname} {release-version}. +For information on content sanitization, see: xref:security.adoc#sanitizing-html-input-to-protect-against-xss-attacks[Sanitizing HTML input to protect against XSS attacks]. -=== -// #TINY-vwxyz1 +[IMPORTANT] +==== +**Migration:** Legacy content using HTML comment wrappers in script or style tags should be updated to use modern syntax without comment wrappers. These comment patterns were primarily used for compatibility with browsers from the 1990s and are not required by modern browsers. -// CCFR here. +**Workaround:** To temporarily preserve existing content during migration, set `xss_sanitization: false`, though this is **not recommended** for production environments due to security implications. +==== diff --git a/modules/ROOT/pages/changelog.adoc b/modules/ROOT/pages/changelog.adoc index 090a451674..d244358e38 100644 --- a/modules/ROOT/pages/changelog.adoc +++ b/modules/ROOT/pages/changelog.adoc @@ -4,9 +4,19 @@ NOTE: This is the {productname} Community version changelog. For information about the latest {cloudname} or {enterpriseversion} Release, see: xref:release-notes.adoc[{productname} Release Notes]. -== xref:7.9.2-release-notes.adoc[7.9.2 - 2026-11-02] +== xref:7.9.2-release-notes.adoc[7.9.2 - 2026-02-11] -//TODO +=== Deprecated + +* The default value of `allow_html_in_comments` will change from `true` to `false` in TinyMCE 8.x. +// #TINY-11900 + +=== Security + +* Updated dependencies and parsing logic for enhanced content sanitization. HTML-like content in comments and certain legacy patterns are now sanitized more strictly when `xss_sanitization` is enabled (default). The introduced `allow_html_in_comments` option provides control over comment node sanitization behavior. +// #TINY-11900 +* Introduced `allow_html_in_comments` option (boolean, default: `true`) to control handling of HTML-like syntax in comment nodes. This option will default to `false` in TinyMCE 8.x. +// #TINY-11900 == 7.9.1 - 2025-05-29 diff --git a/modules/ROOT/pages/content-filtering.adoc b/modules/ROOT/pages/content-filtering.adoc index 2a5896970a..e0395ed15f 100644 --- a/modules/ROOT/pages/content-filtering.adoc +++ b/modules/ROOT/pages/content-filtering.adoc @@ -7,6 +7,8 @@ include::partial$configuration/allow_conditional_comments.adoc[] include::partial$configuration/allow_html_in_named_anchor.adoc[] +include::partial$configuration/allow_html_in_comments.adoc[] + include::partial$configuration/allow_mathml_annotation_encodings.adoc[] include::partial$configuration/allow_unsafe_link_target.adoc[] diff --git a/modules/ROOT/partials/configuration/allow_html_in_comments.adoc b/modules/ROOT/partials/configuration/allow_html_in_comments.adoc new file mode 100644 index 0000000000..c46c91aaff --- /dev/null +++ b/modules/ROOT/partials/configuration/allow_html_in_comments.adoc @@ -0,0 +1,25 @@ +[[allow-html-in-comments]] +== `+allow_html_in_comments+` + +This option controls whether HTML-like syntax in comment nodes is allowed during content sanitization. When set to `false`, HTML-like content in comment nodes will be sanitized more strictly. + +*Type:* `+Boolean+` + +*Default value:* `+true+` + +*Possible values:* `+true+`, `+false+` + +[NOTE] +==== +This option will default to `false` in {productname} 8.x. +==== + +=== Example: using `+allow_html_in_comments+` + +[source,js] +---- +tinymce.init({ + selector: 'textarea', // change this value according to your HTML + allow_html_in_comments: false +}); +---- diff --git a/modules/ROOT/partials/misc/supported-versions.adoc b/modules/ROOT/partials/misc/supported-versions.adoc index 38c71fd449..b5eafb9a2c 100644 --- a/modules/ROOT/partials/misc/supported-versions.adoc +++ b/modules/ROOT/partials/misc/supported-versions.adoc @@ -6,7 +6,7 @@ Supported versions of {productname}: [cols="^,^,^",options="header"] |=== |Version |Release Date |End of Premium Support -|7.9.2 |2026-11-02 |2027-11-02 +|7.9.2 |2026-02-11 |2027-02-11 |7.9 |2025-05-14 |2026-11-14 |7.8 |2025-04-09 |2026-10-09 |7.7 |2025-02-20 |2026-08-20 From 7b3e9dce23fdc25d9e723c64fa83e854132f1258 Mon Sep 17 00:00:00 2001 From: Karl Kemister-Sheppard Date: Wed, 11 Feb 2026 13:51:02 +1000 Subject: [PATCH 2/2] DOC-3364: api-version bump to TinyMCE 7.9.2. --- .api-version | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.api-version b/.api-version index ac2f3747d9..e048e60ec1 100644 --- a/.api-version +++ b/.api-version @@ -1 +1 @@ -7.9.1 \ No newline at end of file +7.9.2 \ No newline at end of file