TinyMCE 8.5.0

The TinyMCE 8.5.0 release includes an accompanying release of the <Premium plugin name 1> premium plugin.

<Premium plugin name 1> <Premium plugin name 1 version> includes the following <fixes, changes, improvements>.

The Enhanced Skins & Icon Packs release includes the following updates:

The Enhanced Skins & Icon Packs were rebuilt to pull in the changes also incorporated into the default TinyMCE 8.5.0 skin, Oxide.

For information on using Enhanced Skins & Icon Packs, see: Enhanced Skins & Icon Packs.

Previously, script elements that were explicitly allowed through valid_elements or extended_valid_elements were removed during the sanitization process when xss_sanitization was enabled. DOMPurify flagged these elements as potential mXSS vectors and removed them entirely, even when the schema configuration indicated they were valid.

In TinyMCE 8.5.0, script elements that are considered valid in the schema are retained during sanitization. The sanitization process still removes unsafe attributes and content, but no longer removes the entire element when the schema explicitly allows it.

Previously, iframe elements that contained child nodes were removed entirely during the sanitization process, even when the editor configuration allowed iframes. DOMPurify treated the presence of child nodes within an iframe as a potential mXSS risk and stripped the entire element from the content.

In TinyMCE 8.5.0, iframe elements are preserved during sanitization. Any child nodes and unsafe or invalid attributes are removed, but the iframe element itself remains in the editor content.