tinymce · kemister85 · Mar 5, 2024 · Feb 26, 2024 · Feb 26, 2024 · Mar 5, 2024
diff --git a/modules/ROOT/pages/7.0-release-notes.adoc b/modules/ROOT/pages/7.0-release-notes.adoc
@@ -218,6 +218,14 @@ Any editors using this `highlight_on_focus: true` option, can remove this option
 
 // CCFR here.
 
+=== `convert_unsafe_embeds` editor option is now defaulted to `true`.
+
+In {productname} 6.8.1, xref:content-filtering.adoc#convert-unsafe-embeds[convert_unsafe_embeds] editor option was introduced to allow `+object+` and `+embed+` elements to be converted by default to the correct element, respective of the MIME type, automatically when inserted into the editor.
+
+In {productname} 7.0, the default value for `+convert_unsafe_embeds+` will change from `false` to `true`, meaning that all `+object+` and `+embed+` tags will automatically be converted to different elements when inserted to the editor. If this behaviour is undesirable, set `+convert_unsafe_embeds+` to `+false+` in your editor configuration.
+
+For further details on the `+convert_unsafe_embeds+` option, see the xref:content-filtering.adoc#convert-unsafe-embeds[content filtering options], or refer to the xref:security.adoc#convert-unsafe-embeds[security guide], or the link:https://www.tiny.cloud/docs/tinymce/6/6.8.1-release-notes/#new-convert_unsafe_embeds-option-that-controls-whether-object-and-embed-elements-will-be-converted-to-more-restrictive-alternatives-namely-img-for-image-mime-types-video-for-video-mime-types-audio-audio-mime-types-or-iframe-for-other-or-unspecified-mime-types[{productname} 6.8.1 release notes].
+
 
 [[bug-fixes]]
 == Bug fixes

diff --git a/modules/ROOT/pages/content-filtering.adoc b/modules/ROOT/pages/content-filtering.adoc
@@ -15,6 +15,8 @@ include::partial$configuration/convert_fonts_to_spans.adoc[]
 
 include::partial$configuration/custom_elements.adoc[]
 
+include::partial$configuration/convert_unsafe_embeds.adoc[]
+
 include::partial$configuration/doctype.adoc[]
 
 include::partial$configuration/element_format.adoc[]
@@ -43,6 +45,8 @@ include::partial$configuration/pad_empty_with_br.adoc[]
 
 include::partial$configuration/protect.adoc[]
 
+include::partial$configuration/sandbox_iframes.adoc[]
+
 include::partial$configuration/schema.adoc[]
 
 include::partial$configuration/valid_children.adoc[]

diff --git a/modules/ROOT/pages/security.adoc b/modules/ROOT/pages/security.adoc
@@ -92,7 +92,9 @@ include::partial$security/sanitizing-html-input-and-protecting-against-xss-attac
 [[securing-embedded-external-resources]]
 === Securing embedded external resources
 
-include::partial$security/securing-embedded-external-resources.adoc[]
+include::partial$configuration/sandbox_iframes.adoc[]
+
+include::partial$configuration/convert_unsafe_embeds.adoc[]
 
 [[insecure-transmission-and-storage-of-data]]
 === Insecure Transmission and Storage of data

diff --git a/modules/ROOT/partials/configuration/convert_unsafe_embeds.adoc b/modules/ROOT/partials/configuration/convert_unsafe_embeds.adoc
@@ -0,0 +1,22 @@
+[[convert-unsafe-embeds]]
+== `convert_unsafe_embeds` option
+
+This option controls whether an `<object>` and `<embed>` elements will be converted to more restrictive alternatives, namely `<img>` for image MIME types, `<video>` for video MIME types, `<audio>` for audio MIME types, or `<iframe>` for other or unspecified MIME types. 
+
+When converted to `<img>`, `<video>`, or `<audio>`, this prevents the embedded resource from performing potentially malicious actions including scripting, file downloads, browser popups, passing the same-origin policy, among others. Enable the `sandbox_iframes` option in addition to ensure <iframe> conversions are also neutralised.
+
+*Type:* `+Boolean+`
+
+*Possible values:* `true`, `false`
+
+*Default value:* `true`
+
+=== Example: using `convert_unsafe_embeds` option
+
+[source,js]
+----
+tinymce.init({
+  selector: 'textarea',  // change this value according to your html
+  convert_unsafe_embeds: false
+});
+----
diff --git a/modules/ROOT/partials/configuration/sandbox_iframes.adoc b/modules/ROOT/partials/configuration/sandbox_iframes.adoc
@@ -0,0 +1,20 @@
+[[sandbox-iframes-option]]
+== `sandbox_iframes` option
+
+This option controls whether the editor will add a `sandbox=""` attribute to all `<iframe>` elements. This will restrict the iframe’s embedded resource from performing potentially malicious actions including scripting, file downloads, browser popups, passing the same-origin policy, among others. Reference: https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#sandbox[MDN].
+
+*Type:* `+Boolean+`
+
+*Possible values:* `true`, `false`
+
+*Default value:* `false`
+
+=== Example: using `sandbox_iframes` option
+
+[source,js]
+----
+tinymce.init({
+  selector: 'textarea',  // change this value according to your html
+  sandbox_iframes: true
+});
+----
diff --git a/modules/ROOT/partials/security/securing-embedded-external-resources.adoc b/modules/ROOT/partials/security/securing-embedded-external-resources.adoc