In TinyMCE 7, the license_key is a required part of the configuration used to initialize the TinyMCE object, as per the documentation. However, this poses a security risk since the license key can be easily exposed.
For example, even if we attempt to mask or encrypt the license key, we ultimately have to include the proper license key in the config object before initializing TinyMCE. Consequently, the key can be retrieved via developer tools console using:
tinymce.activeEditor.options.get('license_key');
This allows anyone with access to the console to fetch the license key, which is a significant security threat.
I’ve considered several approaches, such as masking or encrypting the license key before adding it to the configuration object. However, none of these methods seem effective because the correct license key must eventually be included in the configuration.
I was expecting to find a way to securely handle the license key such that it cannot be easily accessed or exposed via the console or any client-side means.
preetham poonacha is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.