From 4358a32c2191144b3a6b992f126a37ddcfb0ac04 Mon Sep 17 00:00:00 2001
From: Karl Kemister-Sheppard <karlkemistersheppard@gmail.com>
Date: Mon, 20 Apr 2026 19:36:14 +1000
Subject: [PATCH] Docs: DOC-3355 - Prevent valid iframe and script elements
 from being removed by DOMPurify

---
 modules/ROOT/pages/8.5.0-release-notes.adoc | 14 ++++++++++++++
 modules/ROOT/pages/fullpagehtml.adoc        |  2 +-
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/modules/ROOT/pages/8.5.0-release-notes.adoc b/modules/ROOT/pages/8.5.0-release-notes.adoc
index 1a48ade30d..4b5e11da8d 100644
--- a/modules/ROOT/pages/8.5.0-release-notes.adoc
+++ b/modules/ROOT/pages/8.5.0-release-notes.adoc
@@ -110,6 +110,20 @@ For information on using Enhanced Skins & Icon Packs, see: xref:enhanced-skins-a
 
 // CCFR here.
 
+=== Script elements would incorrectly be removed by DOMPurify when considered valid in the schema
+// #TINY-9655
+
+Previously, `script` elements that were explicitly allowed through xref:content-filtering.adoc#valid_elements[`+valid_elements+`] or xref:content-filtering.adoc#extended_valid_elements[`+extended_valid_elements+`] were removed during the sanitization process when xref:content-filtering.adoc#xss_sanitization[`+xss_sanitization+`] was enabled. DOMPurify flagged these elements as potential mXSS vectors and removed them entirely, even when the schema configuration indicated they were valid.
+
+In {productname} {release-version}, `script` elements that are considered valid in the schema are retained during sanitization. The sanitization process still removes unsafe attributes and content, but no longer removes the entire element when the schema explicitly allows it.
+
+=== Iframe elements with children would incorrectly be removed by DOMPurify
+// #TINY-9655
+
+Previously, `iframe` elements that contained child nodes were removed entirely during the sanitization process, even when the editor configuration allowed iframes. DOMPurify treated the presence of child nodes within an `iframe` as a potential mXSS risk and stripped the entire element from the content.
+
+In {productname} {release-version}, `iframe` elements are preserved during sanitization. Any child nodes and unsafe or invalid attributes are removed, but the `iframe` element itself remains in the editor content.
+
 
 [[security-fixes]]
 == Security fixes
diff --git a/modules/ROOT/pages/fullpagehtml.adoc b/modules/ROOT/pages/fullpagehtml.adoc
index b89d4dc369..1a64469df5 100644
--- a/modules/ROOT/pages/fullpagehtml.adoc
+++ b/modules/ROOT/pages/fullpagehtml.adoc
@@ -41,7 +41,7 @@ include::partial$misc/bundling-guide-link.adoc[]
 [WARNING]
 ====
 **Certain elements may be removed by XSS sanitization**  
-By default, {productname} sanitizes HTML content to protect against XSS attacks. Elements outside the HTML5 specification, such as `<script>`, are removed. Standard `<meta>` tags are preserved, but attributes not defined in the HTML5 spec (for example, the RDFa `property` attribute) require explicit configuration to be retained.
+By default, {productname} sanitizes HTML content to protect against XSS attacks. Elements outside the HTML5 specification, such as `<script>`, are removed unless explicitly allowed through xref:content-filtering.adoc#valid_elements[`+valid_elements+`] or xref:content-filtering.adoc#extended_valid_elements[`+extended_valid_elements+`]. Standard `<meta>` tags are preserved, but attributes not defined in the HTML5 spec (for example, the RDFa `property` attribute) require explicit configuration to be retained.
 
 If integrators encounter issues with required elements being removed, the following configuration options are available. These options reduce security and should be used with caution: