stable

ckeditor-4.20.0-1.fc36

FEDORA-2022-b61dfd219b created by siwinski 2 years ago for Fedora 36

CKEditor 4.20

New Features:

Fixed Issues:

API changes:

CKEditor 4.19.1

Fixed Issues:

API changes:

  • #5184: Added the config.editorplaceholder_delay configuration option allowing to delay placeholder before it is toggled when changing editor content.
  • #5184: Added the CKEDITOR.tools#debounce() function allowing to postpone a passed function execution until the given milliseconds have elapsed since the last time it was invoked.

CKEditor 4.19.0

New features:

Fixed Issues:

  • #4543: Fixed: Toolbar buttons toggle state is not correctly announced by screen readers lacking the information whether the feature is on or off.
  • #4052: Fixed: Editor labels are read incorrectly by screen readers due to invalid editor control type for the Iframe Editing Area editors.
  • #1904: Fixed: Screen readers are not announcing the read-only editor state.
  • #4904: Fixed: Table cell selection and navigation with the tab key behavior is inconsistent after adding a new row.
  • #3394: Fixed: Enhanced image plugin dialog is not supporting URL with query string parameters. Thanks to Simon Urli!
  • #5049: Fixed: The editor fails in strict mode due to not following the use strict directives in a core editor module.
  • #5095: Fixed: The clipboard plugin shows notification about unsupported file format when the file type is different than jpg, gif, png, not respecting supported types by the Upload Widget plugin.
  • #4855: [iOS] Fixed: Focusing toolbar buttons with an enabled VoiceOver screen reader moves the browser focus into an editable area and interrupts button functionality.

API changes:

CKEditor 4.18.0

Security Updates:

  • Fixed an XSS vulnerability in the core module reported by GitHub Security Lab team member Kevin Backhouse.

    Issue summary: The vulnerability allowed to inject malformed HTML bypassing content sanitization, which could result in executing a JavaScript code. See CVE-2022-24728 for more details.

  • Fixed a Regular expression Denial of Service (ReDoS) vulnerability in dialog plugin discovered by the CKEditor 4 team during our regular security audit.

    Issue summary: The vulnerability allowed to abuse a dialog input validator regular expression, which could cause a significant performance drop resulting in a browser tab freeze. See CVE-2022-24729 for more details.

You can read more details in the relevant security advisory and contact us if you have more questions.

An upgrade is highly recommended!

Highlights:

Web Spell Checker ended support for WebSpellChecker Dialog on December 31st, 2021. This means the plugin is not supported any longer. Therefore, we decided to deprecate and remove the WebSpellChecker Dialog plugin from CKEditor 4 presets.

We strongly encourage everyone to choose one of the other available spellchecking solutions - Spell Check As You Type (SCAYT) or WProofreader.

Fixed issues:

Other changes:

  • #5093: Deprecated and removed WebSpellChecker Dialog from presets.
  • #5127: Deprecated the CKEDITOR.rnd property to discourage using it in a security-sensitive context.
  • #5087: Improved the jQuery adapter by replacing a deprecated jQuery API with existing counterparts. Thanks to Fran Boon!
  • #5128: Improved the Emoji definitions encoding set by the config.emoji_emojiListUrl configuration option.

CKEditor 4.17.2

Fixed issues:

  • #4934: Fixed: Active focus in dialog tabs is not visible in the High Contrast mode.
  • #547: Fixed: Dragging and dropping elements like images within a table is no longer available.
  • #4875: Fixed: It is not possible to delete multiple selected lists.
  • #4873: Fixed: Pasting content from MS Word and Outlook with horizontal lines prevents images from being uploaded.
  • #4952: Fixed: Dragging and dropping images within a table cell appends additional elements.
  • #4761: Fixed: Some CSS files are missing unique timestamp used to prevent browser to cache static resources between editor releases.
  • #4987: Fixed: Find/Replace is not recognizing more than one space character.
  • #5061: Fixed: Find/Replace plugin incorrectly handles multiple whitespace during replacing text.
  • #5004: Fixed: MutationObserver used in IFrame Editing Area plugin causes memory leaks.
  • #4994: Fixed: Easy Image plugin caused content pasted from Word to turn into an image.

API changes:

Other changes:

  • #5014: Fixed: Toolbar configurator fails when plugin does not define a toolbar group. Thanks to SuperPat!

CKEditor 4.17.1

Highlights:

Due to a regression in CKEeditor 4.17.0 version that was only revealed after the release and affected a limited area of operation, CSS assets loaded via relative links started to point into invalid location when loaded from external resources.

We have therefore decided to immediately release CKEditor 4.17.1 that fixed this problem. If you have already upgraded to v4.17.0, make sure to upgrade to v4.17.1 to avoid this regression.

Fixed issues:

  • #4979: Fixed: Added cache key in #4761 started to breaking relative links for external CSS resources. The fix has been reverted and will be corrected in the next editor version.

CKEditor 4.17

Security Updates:

  • Fixed XSS vulnerability in the core module reported by William Bowling.

    Issue summary: The vulnerability allowed to inject malformed comments HTML bypassing content sanitization, which could result in executing JavaScript code. See CVE-2021-41165 for more details.

  • Fixed XSS vulnerability in the core module reported by Maurice Dauer.

    Issue summary: The vulnerability allowed to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. See CVE-2021-41164 for more details.

You can read more details in the relevant security advisory and contact us if you have more questions.

An upgrade is highly recommended!

Highlights:

Adobe ended support of Flash Player on December 31, 2020 and blocked Flash content from running in Flash Player beginning January 12, 2021. We have decided to deprecate and remove the Flash plugin from CKEditor 4 to help protect users' systems and discourage using insecure software.

New Features:

  • #3433: Marked required fields in dialogs with asterisk (*) symbol.
  • #4374: Integrated the Maximize plugin with browser's History API.
  • #4461: Introduced the possibility to delay editor initialization while it is in a detached DOM element.
  • #4462: Introduced support for reattaching editor container element to DOM.
  • #4612: Allow pasting images as Base64 from clipboard in all browsers except IE.
  • #4681: Allow drag and drop images as Base64.
  • #4750: Added notification for pasting and dropping unsupported file types into the editor.
  • #4807: [Chrome] Improved the performance of pasting large images. Thanks to FlowIT-JIT!
  • #4850: Added support for loading content templates from HTML files. Thanks to Fynn96!
  • #4874: Added the config.clipboard_handleImages configuration option for enabling and disabling built-in support for pasting and dropping images in the Clipboard plugin. Thanks to FlowIT-JIT!
  • #4026: Preview plugin now uses the editor#title property for the title of the preview window. Thanks to Ely!
  • #4467: Added support for inserting content next to a block widgets using keyboard navigation. Thanks to bunglegrind!

Fixed Issues:

  • #3757: [Firefox] Fixed: images pasted from clipboard are not inserted as Base64-encoded images.
  • #3876: Fixed: The Print plugin incorrectly prints links and images.
  • #4444: [Firefox] Fixed: Print preview is incorrectly loaded from CDN.
  • #4596: Fixed: Incorrect handling of HSL/HSLA values in CKEDITOR.tools.color.
  • #4597: Fixed: Incorrect color conversion for HSL/HSLA values in CKEDITOR.tools.color.
  • #4604: Fixed: CKEDITOR.plugins.clipboard.dataTransfer#getTypes() returns no types.
  • #4761: Fixed: Not all resources loaded by the editor respect the cache key.
  • #4783: Fixed: The Accessibility Help dialog does not contain info about focus being moved back to the editing area upon activating a toolbar button.
  • #4790: Fixed: Printing page is invoked before the printed page is fully loaded.
  • #4874: Fixed: Built-in support for pasting and dropping images in the Clipboard plugin restricts third party plugins from handling image pasting. Thanks to FlowIT-JIT!
  • #4888: Fixed: The CKEDITOR.dialog#setState() method throws error when there is no "OK" button in the dialog.
  • #4858: Fixed: The Autolink plugin incorrectly escapes the & characters when pasting links into the editor.
  • #4892: Fixed: Focus of buttons in dialogs is not visible enough in High Contrast mode.
  • #3858: Fixed: Pasting content in ENTER_BR enter mode crashes the editor.
  • #4891: Fixed: The Autogrow plugin applies fixed width to the editor.

API Changes:

Other Changes:

  • #4866: The Flash plugin is now deprecated and has been removed from CKEditor 4.
  • #4901: Redesigned buttons placement in the Content templates dialog to make it more UX friendly. Thanks to Fynn96!

How to install

Updates may require up to 24 hours to propagate to mirrors. If the following command doesn't work, please retry later:

sudo dnf upgrade --refresh --advisory=FEDORA-2022-b61dfd219b

This update has been submitted for testing by siwinski.

2 years ago

This update's test gating status has been changed to 'ignored'.

2 years ago

This update has been pushed to testing.

2 years ago

This update has been submitted for stable by bodhi.

2 years ago

This update has been pushed to stable.

2 years ago

Please login to add feedback.

Metadata
Type
security
Severity
high
Karma
0
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-3
Stable by Karma
3
Stable by Time
7 days
Dates
submitted
2 years ago
in testing
2 years ago
in stable
2 years ago
BZ#2024097 ckeditor-4.20.0 is available
0
0
BZ#2065297 CVE-2022-24728 ckeditor: Cross Site Scripting in WYSIWYG [fedora-all]
0
0
BZ#2065299 CVE-2022-24728 ckeditor: Cross Site Scripting in WYSIWYG [epel-all]
0
0
BZ#2065300 CVE-2022-24729 ckeditor: Dialog Plugin regular expression usage causes performance drop [fedora-all]
0
0
BZ#2065301 CVE-2022-24729 ckeditor: Dialog Plugin regular expression usage causes performance drop [epel-7]
0
0

Automated Test Results