tinymce · kemister85 · Feb 11, 2026 · Feb 10, 2026 · Feb 11, 2026 · Feb 11, 2026
@@ -1 +1 @@
-7.9.1
+7.9.2
@@ -417,6 +417,11 @@
 ** xref:tinymce-and-cors.adoc[Cross-Origin Resource Sharing (CORS)]
 * Release information
 ** xref:release-notes.adoc[Release notes for {productname}]
+*** {productname} 7.9.2
+**** xref:7.9.2-release-notes.adoc#overview[Overview]
+**** xref:7.9.2-release-notes.adoc#additions[Additions]
+**** xref:7.9.2-release-notes.adoc#deprecated[Deprecated]
+**** xref:7.9.2-release-notes.adoc#security-fixes[Security fixes]
 *** {productname} 7.9.0
 **** xref:7.9.0-release-notes.adoc#overview[Overview]
 **** xref:7.9.0-release-notes.adoc#accompanying-premium-self-hosted-server-side-component-changes[Accompanying Premium self-hosted server-side component changes]

@@ -0,0 +1,59 @@
+= {productname} {release-version}
+:release-version: 7.9.2
+:navtitle: {productname} {release-version}
+:description: Release notes for {productname} {release-version}
+:keywords: releasenotes, new, changes, bugfixes
+:page-toclevels: 1
+
+include::partial$misc/admon-releasenotes-for-stable.adoc[]
+
+
+[[overview]]
+== Overview
+
+{productname} {release-version} was released for {enterpriseversion} and {cloudname} on Wednesday, February 11^th^, 2026. These release notes provide an overview of the changes for {productname} {release-version}, including:
+
+* xref:additions[Additions]
+* xref:deprecated[Deprecated]
+* xref:security-fixes[Security fixes]
+
+
+[[additions]]
+== Additions
+
+{productname} {release-version} also includes the following addition:
+
+=== Introduced `allow_html_in_comments` option
+
+Introduced `allow_html_in_comments` option (boolean, default: `true`) to control handling of HTML-like syntax in comment nodes. This option will default to `false` in TinyMCE 8.x.
+
+For information on the `allow_html_in_comments` option, see: xref:content-filtering.adoc#allow-html-in-comments[allow_html_in_comments].
+
+
+[[deprecated]]
+== Deprecated
+
+{productname} {release-version} includes the following deprecation:
+
+=== The default value of `allow_html_in_comments` will change in TinyMCE 8.x
+
+The default value of `allow_html_in_comments` will change from `true` to `false` in TinyMCE 8.x.
+
+
+[[security-fixes]]
+== Security fixes
+
+{productname} {release-version} includes fixes for the following security issues:
+
+=== Enhanced content sanitization
+
+Updated dependencies and parsing logic for enhanced content sanitization. HTML-like content in comments and certain legacy patterns are now sanitized more strictly when `xss_sanitization` is enabled (default). The introduced `allow_html_in_comments` option provides control over comment node sanitization behavior.
+
+For information on content sanitization, see: xref:security.adoc#sanitizing-html-input-to-protect-against-xss-attacks[Sanitizing HTML input to protect against XSS attacks].
+
+[IMPORTANT]
+====
+**Migration:** Legacy content using HTML comment wrappers in script or style tags should be updated to use modern syntax without comment wrappers. These comment patterns were primarily used for compatibility with browsers from the 1990s and are not required by modern browsers.
+
+**Workaround:** To temporarily preserve existing content during migration, set `xss_sanitization: false`, though this is **not recommended** for production environments due to security implications.
+====
@@ -4,6 +4,20 @@
 
 NOTE: This is the {productname} Community version changelog. For information about the latest {cloudname} or {enterpriseversion} Release, see: xref:release-notes.adoc[{productname} Release Notes].
 
+== xref:7.9.2-release-notes.adoc[7.9.2 - 2026-02-11]
+
+=== Deprecated
+
+* The default value of `allow_html_in_comments` will change from `true` to `false` in TinyMCE 8.x.
+// #TINY-11900
+
+=== Security
+
+* Updated dependencies and parsing logic for enhanced content sanitization. HTML-like content in comments and certain legacy patterns are now sanitized more strictly when `xss_sanitization` is enabled (default). The introduced `allow_html_in_comments` option provides control over comment node sanitization behavior.
+// #TINY-11900
+* Introduced `allow_html_in_comments` option (boolean, default: `true`) to control handling of HTML-like syntax in comment nodes. This option will default to `false` in TinyMCE 8.x.
+// #TINY-11900
+
 == 7.9.1 - 2025-05-29
 
 === Improved

@@ -7,6 +7,8 @@ include::partial$configuration/allow_conditional_comments.adoc[]
 
 include::partial$configuration/allow_html_in_named_anchor.adoc[]
 
+include::partial$configuration/allow_html_in_comments.adoc[]
+
 include::partial$configuration/allow_mathml_annotation_encodings.adoc[]
 
 include::partial$configuration/allow_unsafe_link_target.adoc[]

@@ -9,6 +9,12 @@ This section lists the releases for {productname} 7 and the changes made in each
 [cols="1,1"]
 |===
 
+a|
+[.lead]
+xref:7.9.2-release-notes.adoc#overview[{productname} 7.9.2]
+
+Release notes for {productname} 7.9.2
+
 a|
 [.lead]
 xref:7.9.0-release-notes.adoc#overview[{productname} 7.9.0]

@@ -0,0 +1,25 @@
+[[allow-html-in-comments]]
+== `+allow_html_in_comments+`
+
+This option controls whether HTML-like syntax in comment nodes is allowed during content sanitization. When set to `false`, HTML-like content in comment nodes will be sanitized more strictly.
+
+*Type:* `+Boolean+`
+
+*Default value:* `+true+`
+
+*Possible values:* `+true+`, `+false+`
+
+[NOTE]
+====
+This option will default to `false` in {productname} 8.x.
+====
+
+=== Example: using `+allow_html_in_comments+`
+
+[source,js]
+----
+tinymce.init({
+  selector: 'textarea',  // change this value according to your HTML
+  allow_html_in_comments: false
+});
+----