Security Updates:
Fixed XSS vulnerability in the Clipboard plugin reported by Anton Subbotin.
Issue summary: The vulnerability allowed to abuse paste functionality using malformed HTML, which could result in injecting arbitrary HTML into the editor. See security advisory for more details.
Fixed XSS vulnerability in the Widget plugin reported by Anton Subbotin.
Issue summary: The vulnerability allowed to abuse undo functionality using malformed Widget HTML, which could result in executing JavaScript code. See security advisory for more details.
Fixed XSS vulnerability in the Fake Objects plugin reported by Mika Kulmala.
Issue summary: The vulnerability allowed to inject malformed Fake Objects HTML, which could result in executing JavaScript code. See security advisory for more details.
You can read more details in the relevant security advisory and contact us if you have more questions.
An upgrade is highly recommended!
Fixed Issues:
character appears in the editor instead of a space.TypeError
is thrown when switching to Source View and back while Autocomplete plugin is enabled.Fixed Issues:
div
Enter mode.false
is treated as an event cancelation.CKEDITOR.htmlParser
does not treat --!>
as a comment end tag correctly.Security Updates:
Fixed ReDoS vulnerability in the Autolink plugin.
Issue summary: It was possible to execute a ReDoS-type attack inside CKEditor 4 by persuading a victim to paste a specially crafted URL-like text into the editor and press <kbd>Enter</kbd> or <kbd>Space</kbd>.
Fixed ReDoS vulnerability in the Advanced Tab for Dialogs plugin.
Issue summary: It was possible to execute a ReDoS-type attack inside CKEditor 4 by persuading a victim to paste a specially crafted text into the Styles dialog.
An upgrade is highly recommended!
New Features:
tabindex
attribute. Thanks to Timo Kirkkala!Fixed Issues:
config.fullPage
enabled when there is no <body>
tag in the editor content.config.width
value.API Changes:
CKEDITOR.tools.color
class which adds colors validation and methods for converting colors between various formats: named colors, HEX, RGB, RGBA, HSL and HSLA.CKEDITOR.plugins.pastetools.filters.word.images
filters to the CKEDITOR.plugins.pastetools.filters.image
namespace.CKEDITOR.plugins.pastetools.filters
are now available under the CKEDITOR.pasteTools
alias.CKEDITOR.ajax
specialized loading methods for loading binary (CKEDITOR.ajax.loadBinary()
) and text (CKEDITOR.ajax.loadText()
) data.Other Changes:
extraPlugins
configuration option.Security Updates:
Fixed XSS vulnerability in the Color History feature reported by Mark Wade.
Issue summary: It was possible to execute an XSS-type attack inside CKEditor 4 by persuading a victim to paste a specially crafted HTML code into the Color Button dialog.
An upgrade is highly recommended!
Fixed Issues:
CKEDITOR.inlineAll()
method tries to initialize inline editor also on elements with an editor already attached to them.CKEDITOR.domReady()
method connected with not removing load
event listeners. Thanks to rohit1!auto
or 0
value is used.0
on editor resize.API Changes:
stylesRemove
editor event.Other Changes:
stylesLoaded
variable. Thanks to Levi Carter!1.0.1
version:New features:
colorName
property for customizing foreground and background styles in the Color Button plugin via the config.colorButton_foreStyle
and config.colorButton_backStyle
configuration options.Fixed Issues:
config.dataIndentationChars
configuration option to an empty string is ignored and replaced by a tab (\t
) character. Thanks to Thomas Grinderslev!selection.scrollIntoView
method throws an error when the editor selection is not set.<select>
element inside the editor.Fixed Issues:
config.readOnly
configuration option not considered for startup read-only mode of inline editor.config.autolink_urlRegex
and config.autolink_emailRegex
options are not customizable. Thanks to Sergiy Dobrovolsky!editor.resize()
method does not work with CSS units.Other Changes:
Please login to add feedback.
This update has been submitted for testing by siwinski.
This update's test gating status has been changed to 'ignored'.
This update's test gating status has been changed to 'waiting'.
siwinski edited this update.
This update's test gating status has been changed to 'ignored'.
This update has been pushed to testing.
This update has been submitted for stable by bodhi.
This update has been pushed to stable.