DOC-3355: Prevent valid iframe and script elements from being removed by DOMPurify

[kemister85]

Ticket: DOC-3355

Site: Staging

Changes:

• Added two release note entries for TINY-9655 to modules/ROOT/pages/8.5.0-release-notes.adoc (Bug fixes section):
  • Script elements would incorrectly be removed by DOMPurify when considered valid in the schema.
  • Iframe elements with children would incorrectly be removed by DOMPurify.

---

Pre-checks:

• Branch is correctly prefixed (release-note branch)
• modules/ROOT/nav.adoc has been updated (if applicable).
• Files have been included where required (if applicable).
• Files removed have been deleted, not just excluded from the build (if applicable).
• Files added for New product features include a release note entry.
• Major or minor version changes have updated the supported-versions.adoc table.
• Build passes without console errors, warnings, or issues.

[MitchC1999]

Suggested change

	=== Script elements would incorrectly be removed by DOMPurify when considered valid in the schema
	// #TINY-9655
	Previously, `script` elements that were explicitly allowed through xref:content-filtering.adoc#valid_elements[`+valid_elements+`] or xref:content-filtering.adoc#extended_valid_elements[`+extended_valid_elements+`] were removed during the sanitization process when xref:content-filtering.adoc#xss_sanitization[`+xss_sanitization+`] was enabled. DOMPurify flagged these elements as potential mXSS vectors and removed them entirely, even when the schema configuration indicated they were valid.
	In {productname} {release-version}, `script` elements that are considered valid in the schema are retained during sanitization. The sanitization process still removes unsafe attributes and content, but no longer removes the entire element when the schema explicitly allows it.
	=== Script and style elements would incorrectly be removed by DOMPurify when considered valid in the schema
	// #TINY-9655
	Previously, `script` and `style` elements that were explicitly allowed through xref:content-filtering.adoc#valid_elements[`+valid_elements+`] or xref:content-filtering.adoc#extended_valid_elements[`+extended_valid_elements+`] were removed during the sanitization process when xref:content-filtering.adoc#xss_sanitization[`+xss_sanitization+`] was enabled. DOMPurify flagged these elements as potential mXSS vectors and removed them entirely, even when the schema configuration indicated they were valid.
	In {productname} {release-version}, `script` and `style` elements that are considered valid in the schema are retained during sanitization. The sanitization process still removes unsafe attributes and content, but no longer removes the entire element when the schema explicitly allows it.

[MitchC1999]

Suggested change

	Previously, `iframe` elements that contained child nodes were removed entirely during the sanitization process, even when the editor configuration allowed iframes. DOMPurify treated the presence of child nodes within an `iframe` as a potential mXSS risk and stripped the entire element from the content.
	Previously, `iframe` elements that contained child nodes were removed entirely during the sanitization process. DOMPurify treated the presence of child nodes within an `iframe` as a potential mXSS risk and stripped the entire element from the content.