New Features:
config.tabletools_scopedHeaders
configuration option controlling the behaviour of table headers with and without the [scope]
attribute.config.image2_defaultLockRatio
configuration option allowing to set the default value of the "Lock ratio" option in the Enhanced Image dialog.configDefinition.followingSpace
option for the mentions plugin, andconfig.emoji_followingSpace
option for the emoji plugin.config.coreStyles_toggleSubSup
configuration option which disallows setting the subscript and superscript on the same element simultaneously using UI buttons. This option is turned off by default.Fixed Issues:
config.autolink_urlRegex
option produced invalid links when configured directly using the editor instance config. Thanks to Aigars Zeiza!entities_processNumerical = true
configuration option.API changes:
config.removeButtons
config variable.followingSpace
option that finishes an accepted match with a space.Fixed Issues:
backspace
key removes the editor editable area and crashes the editor.checkbox.setValue
and radio.setValue
methods are not chainable as stated in the documentation. Thanks to Jordan Bradford!CKEDITOR.tools#convertToPx()
gives invalid results if the helper calculator element was deleted from the DOM.dialog.validate#functions
incorrectly composes functions that return an optional error message, like e.g. dialog.validate.number
due to unnecessary return type coercion.Enter
key.API changes:
config.editorplaceholder_delay
configuration option allowing to delay placeholder before it is toggled when changing editor content.CKEDITOR.tools#debounce()
function allowing to postpone a passed function execution until the given milliseconds have elapsed since the last time it was invoked.New features:
CKEDITOR.replace
, CKEDITOR.inline
, CKEDITOR.appendTo
).config.shiftLineBreaks
allowing to preserve inline elements formatting when the shift
+enter
keystroke is used.config.applicationTitle
configuration option allowing to customize or disable the editor's application region label. This option, combined with config.title
, gives much better control over the editor's labels read by screen readers.Fixed Issues:
tab
key behavior is inconsistent after adding a new row.use strict
directives in a core editor module.jpg
, gif
, png
, not respecting supported types by the Upload Widget plugin.API changes:
CKEDITOR.replace
, CKEDITOR.inline
, CKEDITOR.appendTo
functions are now returning a handle function allowing to cancel the Delayed Editor Creation feature.config.applicationTitle
alongside CKEDITOR.editor#applicationTitle
to allow customizing editor's application region label.Security Updates:
Fixed an XSS vulnerability in the core module reported by GitHub Security Lab team member Kevin Backhouse.
Issue summary: The vulnerability allowed to inject malformed HTML bypassing content sanitization, which could result in executing a JavaScript code. See CVE-2022-24728 for more details.
Fixed a Regular expression Denial of Service (ReDoS) vulnerability in dialog plugin discovered by the CKEditor 4 team during our regular security audit.
Issue summary: The vulnerability allowed to abuse a dialog input validator regular expression, which could cause a significant performance drop resulting in a browser tab freeze. See CVE-2022-24729 for more details.
You can read more details in the relevant security advisory and contact us if you have more questions.
An upgrade is highly recommended!
Highlights:
Web Spell Checker ended support for WebSpellChecker Dialog on December 31st, 2021. This means the plugin is not supported any longer. Therefore, we decided to deprecate and remove the WebSpellChecker Dialog plugin from CKEditor 4 presets.
We strongly encourage everyone to choose one of the other available spellchecking solutions - Spell Check As You Type (SCAYT) or WProofreader.
Fixed issues:
CKEDITOR.tools.convertToPx()
.select
elements with multiple
attribute had incorrect styling. Thanks to John R. D'Orazio!Other changes:
CKEDITOR.rnd
property to discourage using it in a security-sensitive context.config.emoji_emojiListUrl
configuration option.Fixed issues:
MutationObserver
used in IFrame Editing Area plugin causes memory leaks.API changes:
config.useComputedState
default value to true
. Thanks to Shabab Karim!CKEDITOR.appendTimestamp()
function was added.CKEDITOR.dom.document#appendStyleSheet()
and CKEDITOR.tools.buildStyleHtml()
now use the newly added CKEDITOR.appendTimestamp()
function to correctly handle caching of CSS files.Other changes:
Highlights:
Due to a regression in CKEeditor 4.17.0 version that was only revealed after the release and affected a limited area of operation, CSS assets loaded via relative links started to point into invalid location when loaded from external resources.
We have therefore decided to immediately release CKEditor 4.17.1 that fixed this problem. If you have already upgraded to v4.17.0, make sure to upgrade to v4.17.1 to avoid this regression.
Fixed issues:
Security Updates:
Fixed XSS vulnerability in the core module reported by William Bowling.
Issue summary: The vulnerability allowed to inject malformed comments HTML bypassing content sanitization, which could result in executing JavaScript code. See CVE-2021-41165 for more details.
Fixed XSS vulnerability in the core module reported by Maurice Dauer.
Issue summary: The vulnerability allowed to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. See CVE-2021-41164 for more details.
You can read more details in the relevant security advisory and contact us if you have more questions.
An upgrade is highly recommended!
Highlights:
Adobe ended support of Flash Player on December 31, 2020 and blocked Flash content from running in Flash Player beginning January 12, 2021. We have decided to deprecate and remove the Flash plugin from CKEditor 4 to help protect users' systems and discourage using insecure software.
New Features:
*
) symbol.config.clipboard_handleImages
configuration option for enabling and disabling built-in support for pasting and dropping images in the Clipboard plugin. Thanks to FlowIT-JIT!editor#title
property for the title of the preview window. Thanks to Ely!Fixed Issues:
CKEDITOR.tools.color
.CKEDITOR.tools.color
.CKEDITOR.plugins.clipboard.dataTransfer#getTypes()
returns no types.CKEDITOR.dialog#setState()
method throws error when there is no "OK" button in the dialog.&
characters when pasting links into the editor.ENTER_BR
enter mode crashes the editor.API Changes:
CKEDITOR.editor#getSelection()
now returns null
if the editor is in recreating state.CKEDITOR.tools.color
.CKEDITOR.plugins.clipboard.dataTransfer#isFileTransfer()
method.callback
parameter to CKEDITOR.plugins.preview#createPreview()
method.Other Changes:
Updates may require up to 24 hours to propagate to mirrors. If the following command doesn't work, please retry later:
sudo dnf upgrade --refresh --advisory=FEDORA-2022-b61dfd219b
Please login to add feedback.
This update has been submitted for testing by siwinski.
This update's test gating status has been changed to 'ignored'.
This update has been pushed to testing.
This update has been submitted for stable by bodhi.
This update has been pushed to stable.