- Fixed XSS vulnerability in the Enhanced Image (image2) plugin reported by Kyaw Min Thein.
- Issue summary: It was possible to execute XSS inside CKEditor using the tag and specially crafted HTML. Please note that the default presets (Basic/Standard/Full) do not include this plugin, so you are only at risk if you made a custom build and enabled this plugin.
- #1835: Fixed: Integration between CKFinder and File Browser plugin does not work.
- #932: Introduced Easy Image feature for inserting images that are automatically rescaled, optimized, responsive and delivered through a blazing-fast CDN. Three new plugins were added to support it:
- Easy Image
- Cloud Services
- Image Base
- #1338: Keystroke labels are displayed for function keys (like F7, F8).
- #643: The File Browser plugin can now upload files using XHR requests. This allows for setting custom HTTP headers using the config.fileTools_requestHeaders configuration option.
- #1365: The File Browser plugin uses XHR requests by default.
- #1399: Added the possibility to set CKEDITOR.config.startupFocus as start or end to specify where the editor focus should be after the initialization.
- #1441: The Magic Line plugin line element can now be identified by the data-cke-magic-line="1" attribute.
- #595: Fixed: Pasting does not work on mobile devices.
- #869: Fixed: Empty selection clears cached clipboard data in the editor.
- #1419: Fixed: The Widget Selection plugin selects the editor content with the Alt+A key combination on Windows.
- #1274: Fixed: Balloon Toolbar does not match a single selected image using the contextDefinition.cssSelectormatcher.
- #1232: Fixed: Balloon Toolbar buttons should be registered as focusable elements.
- #1342: Fixed: Balloon Toolbar should be re-positioned after the change event.
- #1426: [IE8-9] Fixed: Missing Balloon Toolbar background in the Kama skin. Thanks to Christian Elmer!
- #1470: Fixed: Balloon Toolbar is not visible after drag and drop of a widget it is attached to.
- #1048: Fixed: Balloon Panel is not positioned properly when a margin is added to its non-static parent.
- #889: Fixed: Unclear error message for width and height fields in the Image and Enhanced Image plugins.
- #859: Fixed: Cannot edit a link after a double-click on the text in the link.
- #1013: Fixed: Paste from Word does not work correctly with the config.forcePasteAsPlainText option.
- #1356: Fixed: Border parse function does not allow spaces in the color value.
- #1010: Fixed: The CSS border shorthand property was incorrectly expanded ignoring the border-color style.
- #1535: Fixed: Widget mouseover border contrast is insufficient.
- #1516: Fixed: Fake selection allows removing content in read-only mode using the Backspace and Delete keys.
- #1570: Fixed: Fake selection allows cutting content in read-only mode using the Ctrl/Cmd + X keys.
- #1363: Fixed: Paste notification is unclear and it might confuse users.
- #1346: Balloon Toolbar context manager API is now available in the pluginDefinition.init method of the requiringplugin.
- #1530: Added the possibility to use custom icons for buttons.
- Updated SCAYT (Spell Check As You Type) and WebSpellChecker plugins:
- SCAYT scayt_minWordLength configuration option now defaults to 3 instead of 4.
- SCAYT default number of suggested words in the context menu changed to 3.
- #90: Fixed: Selection is lost on link creation if SCAYT highlights the word.
- Fixed: SCAYT crashes when the browser localStorage is disabled.
- [IE11] Fixed: Unable to get property type of undefined or null reference error in the browser console when SCAYT is disabled/enabled.
- #46: Fixed: Editing is blocked when remote spell checker server is offline.
- Fixed: User Dictionary cannot be created in WSC due to You already have the dictionary error.
- Fixed: Words with apostrophe ' on the replacement make the WSC dialog inaccessible.
- Fixed: SCAYT/WSC causes the Uncaught TypeError error in the browser console.
- #1337: Updated the samples layout with the new CKEditor 4 logo and color scheme.
- #1591: CKBuilder and language tools are now downloaded over HTTPS. Thanks to August Detlefsen!
Please login to add feedback.