DOC-2204: TinyMCE 6.7.3 release docs.

* DOC-2185: TinyMCE 6.7.1 Release Notes

* DOC-2185: 6.7.1-release-notes.adoc

Added file, `6.7.1-release-notes.adoc` to project.

Added 6.7.1-specific release notes outline to file.

* DOC-2185: changelog.adoc

Added 6.7.1-specific outline of expected changelog entries.

* DOC-2185: nav.adoc

Added 6.7.1-specific entries to navigation.

* DOC-2185: changelog.md

Added entry for this ticket.

* DOC-2185: release-notess.adoc

Added 6.7.1 release notes table cell.

Tweaked dummy cell as required for the above change.

* DOC-2185: 6.7.1-release-notes.adoc

Added write up of TINY-10180 to security fixes section of the release notes.

* DOC-2185: 6.7.1-release-notes.adoc

Removed outbound twitter link.

* Removed Bug fix placeholders and added GHSA link

* updated GHSA link, replaced mce link with DOM Parser link.

* DOC-2185: added TINY-10286 placeholder, and 10215 title.

* DOC-2185: added draft content for TINY-10286.

* Update modules/ROOT/nav.adoc

* Update modules/ROOT/pages/6.7.1-release-notes.adoc

* Update modules/ROOT/pages/changelog.adoc

* Update modules/ROOT/pages/changelog.adoc

* Update modules/ROOT/pages/6.7.1-release-notes.adoc

* Update modules/ROOT/pages/6.7.1-release-notes.adoc

* Update modules/ROOT/pages/6.7.1-release-notes.adoc

* Update modules/ROOT/pages/changelog.adoc



* DOC-2185: API-version bump to 6.7.1.

---------




* Merge remote-tracking branch 'docs/release/docs-6' into base-docs/release-6

* DOC-2204: TinyMCE 6.7.3 release docs.

* Update GHSA outline with finalised content and links

* Update modules/ROOT/pages/6.7.3-release-notes.adoc

* Update modules/ROOT/pages/6.7.3-release-notes.adoc

* Update modules/ROOT/pages/6.7.3-release-notes.adoc

* Update modules/ROOT/pages/6.7.3-release-notes.adoc



* Update modules/ROOT/pages/6.7.3-release-notes.adoc



* Update changelog.md

* Update modules/ROOT/pages/changelog.adoc

* DOC-2204: api-version bump for 6.7.3 API docs

---------

Co-authored-by: bforte <[email protected]>
Co-authored-by: mkzhx <[email protected]>
Co-authored-by: mkzhx <[email protected]>

.api-version

@@ -1 +1 @@
-6.7.2
+6.7.3

changelog.md

@@ -7,6 +7,10 @@ The format is loosely based on [Keep a Changelog](https://keepachangelog.com/en/
 ### Unreleased
 
 
+### 2023-11-15
+
+- DOC-2204: added `6.7.3-release-notes.adoc` to project; updated `changelog.adoc`, `nav.adoc` and `release-notes.adoc` for the TinyMCE 6.7.3 release, and api-version bump for 6.7.3.
+
 ### 2023-11-01
 
 - DOC-2194: fix heading lvl in 6.7.2 release notes for fixes.

modules/ROOT/nav.adoc

@@ -403,6 +403,9 @@
 ** xref:tinymce-and-cors.adoc[Cross-Origin Resource Sharing (CORS)]
 * Release information
 ** xref:release-notes.adoc[Release notes for TinyMCE 6]
+*** TinyMCE 6.7.3
+**** xref:6.7.3-release-notes.adoc#overview[Overview]
+**** xref:6.7.3-release-notes.adoc#security-fix[Security fix]
 *** TinyMCE 6.7.2
 **** xref:6.7.2-release-notes.adoc#overview[Overview]
 **** xref:accompanying-premium-self-hosted-server-side-component-changes[Accompanying Premium self-hosted server-side component changes]

modules/ROOT/pages/6.7.1-release-notes.adoc

@@ -42,8 +42,7 @@ GHSA: https://github.com/tinymce/tinymce/security/advisories/GHSA-v65r-p3vv-jjfv
 
 NOTE: Tiny Technologies would like to thank Masato Kinugawa of https://cure53.de/[Cure53] for discovering this vulnerability.
 
-
-### Notification messages containing HTML were not properly XSS sanitized before being displayed.
+=== Notification messages containing HTML were not properly XSS sanitized before being displayed.
 //#TINY-10286
 
 A https://owasp.org/www-community/attacks/xss/[cross-site scripting] (XSS) vulnerability was discovered in {productname}'s Notification Manager API. The vulnerability exploits {productname}'s unfiltered notification system, which is used in error handling. The conditions for this exploit requires carefully crafted malicious content to have been inserted into the editor and a notification to have been triggered.

modules/ROOT/pages/6.7.3-release-notes.adoc

@@ -0,0 +1,38 @@
+= TinyMCE 6.7.3
+:navtitle: TinyMCE 6.7.3
+:description: Release notes for TinyMCE 6.7.3
+:keywords: releasenotes, new, changes, bugfixes
+:page-toclevels: 1
+
+include::partial$misc/admon-releasenotes-for-stable.adoc[]
+
+[[overview]]
+== Overview
+
+{productname} 6.7.3 was released for {enterpriseversion} and {cloudname} on Wednesday, November 15^th^, 2023. These release notes provide an overview of the changes for {productname} 6.7.3, including:
+
+* xref:security-fixes[Security fixes]
+
+
+[[security-fixes]]
+== Security fixes
+
+{productname} 6.7.3 includes a fix for the following security issue:
+
+=== Special characters in unescaped text nodes can trigger mXSS when using TinyMCE undo/redo, getContentAPI, resetContentAPI, and Autosave plugin
+
+A https://researchgate.net/publication/266654651_mXSS_attacks_Attacking_well-secured_web-applications_by_using_innerHTML_mutations[mutation cross-site scripting] (mXSS) vulnerability was discovered in {productname}’s core undo/redo functionality and other APIs and plugins. Text nodes within specific parents are not escaped upon serialization according to the https://html.spec.whatwg.org/multipage/parsing.html#serialising-html-fragments[HTML standard]. If such text nodes contain a special character reserved as an internal marker, they can be combined with other HTML patterns to form malicious snippets. These snippets pass the initial sanitization layer when the content is parsed into the editor body, but can trigger XSS when the special internal marker is removed from the content and re-parsed. Such mutations occur when serialized HTML content is processed before being stored in the undo stack, or when the following APIs and plugins are used:
+
+* https://tiny.cloud/docs/tinymce/6/apis/tinymce.editor/#getContent[tinymce.Editor.getContent({ format: 'raw' })]
+* https://tiny.cloud/docs/tinymce/6/apis/tinymce.editor/#resetContent[tinymce.Editor.resetContent()]
+* https://tiny.cloud/docs/tinymce/6/autosave/[Autosave Plugin]
+
+This vulnerability has been patched in {productname} 6.7.3 by:
+
+* ensuring that any unescaped text nodes which contain the special internal marker are emptied before removing the marker from the rest of the HTML, and;
+* removing the special internal marker from content strings passed to `Editor.setContent`, `Editor.insertContent`, and `Editor.resetContent` APIs to prevent them from being loaded into the editor as user-provided content.
+
+CVE: pending.
+
+GHSA: https://github.com/tinymce/tinymce/security/advisories/GHSA-v626-r774-j7f8[GitHub Advisory].
+NOTE: Tiny Technologies would like to thank Masato Kinugawa of https://cure53.de/[Cure53] for discovering this vulnerability.

modules/ROOT/pages/changelog.adoc

@@ -4,6 +4,15 @@
 
 NOTE: This is the {productname} Community version changelog. For information about the latest {cloudname} or {enterpriseversion} Release, see: xref:release-notes.adoc[{productname} Release Notes].
 
+== 6.7.3 - 2023-11-15
+
+### Changed
+* Zero width no-break space (U+FEFF) characters are removed from content passed to `setContent`, `insertContent`, and `resetContent` APIs.
+* Zero width no-break space (U+FEFF) characters in initial content are not loaded into the editor upon initialization.
+
+### Fixed
+* Specific HTML content containing unescaped text nodes caused mXSS when using undo/redo.
+* Specific HTML content containing unescaped text nodes caused mXSS when using the `getContent` and `setContent` APIs with the `format: 'raw'` option, which also affected the `resetContent` API and the draft restoration feature of the Autosave plugin.
 
 == 6.7.2 - 2023-10-25
 

modules/ROOT/pages/release-notes.adoc

@@ -9,6 +9,12 @@ This section lists the releases for {productname} 6 and the changes made in each
 [cols="1,1"]
 |===
 
+a|
+[.lead]
+xref:6.7.3-release-notes.adoc#overview[{productname} 6.7.3]
+
+Release notes for {productname} 6.7.3
+
 a|
 [.lead]
 xref:6.7.2-release-notes.adoc#overview[{productname} 6.7.2]