TinyMCE Rich Text Sanitization Configuration

Charlie22 · May 30, 2025, 2:15pm

We are in the process of upgrading from Umbraco 13 to 14 and so have changed our tinyMCE Rich Text config setup. Using the same settings as previously, we have noticed that all on* element attributes (such as an onclick attribute within a button element) is being sanitized when exiting from source code view.

We have added the necessary settings such as:

        "SanitizeTinyMce": false,
        "valid_elements": "*[*]",
        "extended_valid_elements": "*[*]",

but it is still sanitizing the onclick attribute in the button. We are not sure what is wrong here or what has changed to cause this from v13 to v14.

Here is our current umbraco-package.json:

{
  "$schema": "../umbraco-package-schema.json",
  "name": "TinyMCE",
  "extensions": [
    {
      "type": "tinyMcePlugin",
      "alias": "tinymce",
      "name": "TinyMCE",
      "meta": {
        "SanitizeTinyMce": false,
        "config": {
          "plugins": [
            "charmap",
            "advlist",
            "autolink",
            "searchreplace"
          ],
          "valid_elements": "*[*]",
          "extended_valid_elements": "*[*]",
          "entity_encoding": "raw",
          "toc_depth": "4",
          "relative_urls": false,
          "remove_script_host": false,
          "style_formats": [
            {
              "title": "Headings",
              "items": [
                {
                  "title": "Heading 1",
                  "block": "h1"
                }
              ]
            }
          ]
        }
      }
    }
  ]
}

Any help would be much appreciated, thanks.

huwred · May 31, 2025, 11:45am

IIRC, that setting goes in appsettings under Umbraco\Global rather than in your manifest

LuukPeters · June 2, 2025, 2:32pm

Just a heads up that Umbraco 14 is officially out of support now. And the release is 16 is almost there. So make sure not to stick to 14

Charlie22 · June 4, 2025, 11:26am

Hi,

Thank you for the information. We were following your blog post and this forum post:

{
  "name": "My TinyMCE Plugin",
  "version": "1.0.0",
  "extensions": [
    {
      "type": "tinyMcePlugin",
      "alias": "mytinymceplugin",
      "name": "My TinyMCE Plugin",
      "meta": {
        "SanitizeTinyMce": false,

        "config": {

Has this changed? We were trying to get info on this from the Umbraco docs but it seems the property is no longer in the Umbraco 14/15 global settings: Global Settings | Umbraco CMS

We’ve tried both Umbraco 14 and 15 with the setting in both places but it’s still stripping the on* attributes.

Thanks for your help.

huwred · June 5, 2025, 6:27am

Did a few tests and you are correct it appears to have no effect