Improper or Incomplete CSS Styles Are Stripped in HTML Editor After Xanadu Upgrade - Known Error

Improper or Incomplete CSS Styles Are Stripped in HTML Editor After Xanadu Upgrade Description After upgrading to Xanadu, improperly formatted or incomplete CSS styles are removed from the HTML Editor in the kb_knowledge article body field. This issue did not occur in previous versions (Washington DC and Vancouver).

Steps to Reproduce

Open a kb_knowledge record. Click on the Source Code ( <> ) button in the article body field. 3. Add the following CSS: .button{ background-color: red; } .button1{ background-color: red; } 4. Click on the Save Button

5. Click on Source Code icon again

Current Behavior: The entire CSS block is stripped, including the correctly formatted .button1 class. This behavior is expected starting from Xanadu with the Tinymce library major version upgrade(v6). Expected Behavior: The correctly formatted styles should persist in the HTML Editor.

Root Cause Analysis:

Prior to Xanadu, TinyMCE 5.x was used for handling HTML content, relying on SaxParser, which had a more lenient approach to processing malformed HTML and CSS.

With the Xanadu upgrade, TinyMCE was updated to 6.x, introducing DOMParser and DOMPurify for stricter content sanitization. These tools enforce proper HTML syntax and remove potentially unsafe or malformed content to mitigate XSS (Cross-Site Scripting) vulnerabilities.

As a result, missing closing tags or improperly structured CSS are now automatically removed during sanitization. Allowing unsafe or malformed content would require completely disabling sanitization, which poses significant security risks and is not recommended.

For more details on TinyMCE's security updates, refer to:

https://www.tiny.cloud/docs/tinymce/6/migration-from-5x/#security

Note:

To ensure CSS styles persist in the HTML Editor, all HTML and CSS must be properly formatted and follow strict syntax rules. In particular:

Ensure all tags are properly closed. Avoid using improperly structured or incomplete CSS. This change is part of an intentional security enhancement and cannot be reverted without compromising content sanitization and security.

Please test the HTML content using DOMPurify before pasting it into the HTML Editor. You can do so by visiting DOMPurify's official site .

Workaround There is currently no workaround for this issue, and the functionality cannot be restored to its previous state. The stricter sanitization enforced by DOMPurify is an intentional and necessary security measure. Allowing unsafe or malformed content would require disabling sanitization entirely, which introduces significant security risks and is strongly discouraged.

For details, refer to: TinyMCE 6 Migration Guide

Please correct the malformed HTML and CSS, starting from Xanadu.