FEDORA-2022-9d655503ea

Packages in this update:

drupal7-7.92-1.fc36

Update description:

7.92
7.91
SA-CORE-2022-012 / CVE-2022-25275

7.90
7.89
7.88
SA-CORE-2022-003 / CVE-2022-25271

7.87
7.86
SA-CORE-2022-001 / CVE-2021-41184
SA-CORE-2022-002 / CVE-2021-41182 / CVE-2021-41183 / CVE-2016-7103 / CVE-2010-5312

7.85
7.84
7.83

Read More

FEDORA-2022-d5fc9dcdd7

Packages in this update:

php-Smarty-3.1.47-1.fc37

Update description:

[3.1.47] – 2022-09-14

Security

Applied appropriate javascript and html escaping in mailto plugin to counter injection attacks #454

Fixed

Fixed use of rand() without a parameter in math function #794
Fixed unselected year/month/day not working in html_select_date #395

[3.1.46] – 2022-08-01

Fixed

Fixed problems with smarty_mb_str_replace #549
Fixed second parameter of unescape modifier not working #777

[3.1.45] – 2022-05-17

Security

Prevent PHP injection through malicious block name or include file name. This addresses CVE-2022-29221

Fixed

Math equation max(x, y) didn’t work anymore #721

[3.1.44] – 2022-01-18

Fixed

Fixed illegal characters bug in math function security check #702

[3.1.43] – 2022-01-10

Security

Prevent evasion of the static_classes security policy. This addresses CVE-2021-21408

[3.1.42] – 2022-01-10

Security

Prevent arbitrary PHP code execution through maliciously crafted expression for the math function. This addresses CVE-2021-29454

[3.1.41] – 2022-01-09

Security

Rewrote the mailto function to not use eval when encoding with javascript

[3.1.40] – 2021-10-13

Changed

modifier escape now triggers a E_USER_NOTICE when an unsupported escape type is used https://github.com/smarty-php/smarty/pull/649

Security

More advanced javascript escaping to handle https://html.spec.whatwg.org/multipage/scripting.html#restrictions-for-contents-of-script-elements thanks to m-haritonov

[3.1.39] – 2021-02-17

Security

Prevent access to $smarty.template_object in sandbox mode. This addresses CVE-2021-26119.
Fixed code injection vulnerability by using illegal function names in {function name=’blah’}{/function}. This addresses CVE-2021-26120.

[3.1.38] – 2021-01-08

Fixed

Smarty::SMARTY_VERSION wasn’t updated https://github.com/smarty-php/smarty/issues/628

[3.1.37] – 2021-01-07

Changed

Changed error handlers and handling of undefined constants for php8-compatibility (set $errcontext argument optional) https://github.com/smarty-php/smarty/issues/605
Changed expected error levels in unit tests for php8-compatibility
Travis unit tests now run for all php versions >= 5.3, including php8
Travis runs on Xenial where possible

Fixed

PHP5.3 compatibility fixes
Brought lexer source functionally up-to-date with compiled version

[3.1.36] – 2020-04-14

Fixed

Smarty::SMARTY_VERSION wasn’t updated in v3.1.35 https://github.com/smarty-php/smarty/issues/584

[3.1.35] – 2020-04-14

remove whitespaces after comments https://github.com/smarty-php/smarty/issues/447
fix foreachelse on arrayiterators https://github.com/smarty-php/smarty/issues/506
fix files contained in git export archive for package maintainers https://github.com/smarty-php/smarty/issues/325
throw SmartyException when setting caching attributes for cacheable plugin https://github.com/smarty-php/smarty/issues/457
fix errors that occured where isset was replaced with null check such as https://github.com/smarty-php/smarty/issues/453
unit tests are now in the repository

3.1.34 release – 05.11.2019

13.01.2020
– fix typo in exception message (JercSi)
– fix typehint warning with callable (bets4breakfast)
– add travis badge and compatability info to readme (matks)
– fix stdClass cast when compiling foreach (carpii)
– fix wrong set/get methods for memcached (IT-Experte)
– fix pborm assigning value to object variables in smarty_internal_compile_assign (Hunman)
– exclude error_reporting.ini from git export (glensc)

3.1.34-dev-6 –

30.10.2018
– bugfix a nested subblock in an inheritance child template was not replace by
outer level block with same name in same child template https://github.com/smarty-php/smarty/issues/500

29.10.2018
– bugfix Smarty::$php_handling == PHP_PASSTHRU (default) did eat the “n” (newline) character if it did directly followed
a PHP tag like “?>” or other https://github.com/smarty-php/smarty/issues/501

14.10.2018
– bugfix autoloader exit shortcut https://github.com/smarty-php/smarty/issues/467

11.10.2018
– bugfix {insert} not works when caching is enabled and included template is present
https://github.com/smarty-php/smarty/issues/496
– bugfix in date-format modifier; NULL at date string or default_date did not produce correct output
https://github.com/smarty-php/smarty/pull/458

09.10.2018
– bugfix fix of 26.8.2017 https://github.com/smarty-php/smarty/issues/327
modifier is applied to sum expression https://github.com/smarty-php/smarty/issues/491
– bugfix indexed arrays could not be defined “array(…)””

18.09.2018
– bugfix large plain text template sections without a Smarty tag > 700kB could
could fail in version 3.1.32 and 3.1.33 because PHP preg_match() restrictions
https://github.com/smarty-php/smarty/issues/488

Read More

FEDORA-2022-52154efd61

Packages in this update:

php-Smarty-3.1.47-1.fc36

Update description:

[3.1.47] – 2022-09-14

Security

Applied appropriate javascript and html escaping in mailto plugin to counter injection attacks #454

Fixed

Fixed use of rand() without a parameter in math function #794
Fixed unselected year/month/day not working in html_select_date #395

[3.1.46] – 2022-08-01

Fixed

Fixed problems with smarty_mb_str_replace #549
Fixed second parameter of unescape modifier not working #777

[3.1.45] – 2022-05-17

Security

Prevent PHP injection through malicious block name or include file name. This addresses CVE-2022-29221

Fixed

Math equation max(x, y) didn’t work anymore #721

[3.1.44] – 2022-01-18

Fixed

Fixed illegal characters bug in math function security check #702

[3.1.43] – 2022-01-10

Security

Prevent evasion of the static_classes security policy. This addresses CVE-2021-21408

[3.1.42] – 2022-01-10

Security

Prevent arbitrary PHP code execution through maliciously crafted expression for the math function. This addresses CVE-2021-29454

[3.1.41] – 2022-01-09

Security

Rewrote the mailto function to not use eval when encoding with javascript

[3.1.40] – 2021-10-13

Changed

modifier escape now triggers a E_USER_NOTICE when an unsupported escape type is used https://github.com/smarty-php/smarty/pull/649

Security

More advanced javascript escaping to handle https://html.spec.whatwg.org/multipage/scripting.html#restrictions-for-contents-of-script-elements thanks to m-haritonov

[3.1.39] – 2021-02-17

Security

Prevent access to $smarty.template_object in sandbox mode. This addresses CVE-2021-26119.
Fixed code injection vulnerability by using illegal function names in {function name=’blah’}{/function}. This addresses CVE-2021-26120.

[3.1.38] – 2021-01-08

Fixed

Smarty::SMARTY_VERSION wasn’t updated https://github.com/smarty-php/smarty/issues/628

[3.1.37] – 2021-01-07

Changed

Changed error handlers and handling of undefined constants for php8-compatibility (set $errcontext argument optional) https://github.com/smarty-php/smarty/issues/605
Changed expected error levels in unit tests for php8-compatibility
Travis unit tests now run for all php versions >= 5.3, including php8
Travis runs on Xenial where possible

Fixed

PHP5.3 compatibility fixes
Brought lexer source functionally up-to-date with compiled version

[3.1.36] – 2020-04-14

Fixed

Smarty::SMARTY_VERSION wasn’t updated in v3.1.35 https://github.com/smarty-php/smarty/issues/584

[3.1.35] – 2020-04-14

remove whitespaces after comments https://github.com/smarty-php/smarty/issues/447
fix foreachelse on arrayiterators https://github.com/smarty-php/smarty/issues/506
fix files contained in git export archive for package maintainers https://github.com/smarty-php/smarty/issues/325
throw SmartyException when setting caching attributes for cacheable plugin https://github.com/smarty-php/smarty/issues/457
fix errors that occured where isset was replaced with null check such as https://github.com/smarty-php/smarty/issues/453
unit tests are now in the repository

3.1.34 release – 05.11.2019

13.01.2020
– fix typo in exception message (JercSi)
– fix typehint warning with callable (bets4breakfast)
– add travis badge and compatability info to readme (matks)
– fix stdClass cast when compiling foreach (carpii)
– fix wrong set/get methods for memcached (IT-Experte)
– fix pborm assigning value to object variables in smarty_internal_compile_assign (Hunman)
– exclude error_reporting.ini from git export (glensc)

3.1.34-dev-6 –

30.10.2018
– bugfix a nested subblock in an inheritance child template was not replace by
outer level block with same name in same child template https://github.com/smarty-php/smarty/issues/500

29.10.2018
– bugfix Smarty::$php_handling == PHP_PASSTHRU (default) did eat the “n” (newline) character if it did directly followed
a PHP tag like “?>” or other https://github.com/smarty-php/smarty/issues/501

14.10.2018
– bugfix autoloader exit shortcut https://github.com/smarty-php/smarty/issues/467

11.10.2018
– bugfix {insert} not works when caching is enabled and included template is present
https://github.com/smarty-php/smarty/issues/496
– bugfix in date-format modifier; NULL at date string or default_date did not produce correct output
https://github.com/smarty-php/smarty/pull/458

09.10.2018
– bugfix fix of 26.8.2017 https://github.com/smarty-php/smarty/issues/327
modifier is applied to sum expression https://github.com/smarty-php/smarty/issues/491
– bugfix indexed arrays could not be defined “array(…)””

18.09.2018
– bugfix large plain text template sections without a Smarty tag > 700kB could
could fail in version 3.1.32 and 3.1.33 because PHP preg_match() restrictions
https://github.com/smarty-php/smarty/issues/488

Read More

FEDORA-EPEL-2022-576e858e93

Packages in this update:

php-Smarty-3.1.47-1.el7

Update description:

[3.1.47] – 2022-09-14

Security

Applied appropriate javascript and html escaping in mailto plugin to counter injection attacks #454

Fixed

Fixed use of rand() without a parameter in math function #794
Fixed unselected year/month/day not working in html_select_date #395

[3.1.46] – 2022-08-01

Fixed

Fixed problems with smarty_mb_str_replace #549
Fixed second parameter of unescape modifier not working #777

[3.1.45] – 2022-05-17

Security

Prevent PHP injection through malicious block name or include file name. This addresses CVE-2022-29221

Fixed

Math equation max(x, y) didn’t work anymore #721

[3.1.44] – 2022-01-18

Fixed

Fixed illegal characters bug in math function security check #702

[3.1.43] – 2022-01-10

Security

Prevent evasion of the static_classes security policy. This addresses CVE-2021-21408

[3.1.42] – 2022-01-10

Security

Prevent arbitrary PHP code execution through maliciously crafted expression for the math function. This addresses CVE-2021-29454

[3.1.41] – 2022-01-09

Security

Rewrote the mailto function to not use eval when encoding with javascript

[3.1.40] – 2021-10-13

Changed

modifier escape now triggers a E_USER_NOTICE when an unsupported escape type is used https://github.com/smarty-php/smarty/pull/649

Security

More advanced javascript escaping to handle https://html.spec.whatwg.org/multipage/scripting.html#restrictions-for-contents-of-script-elements thanks to m-haritonov

[3.1.39] – 2021-02-17

Security

Prevent access to $smarty.template_object in sandbox mode. This addresses CVE-2021-26119.
Fixed code injection vulnerability by using illegal function names in {function name=’blah’}{/function}. This addresses CVE-2021-26120.

[3.1.38] – 2021-01-08

Fixed

Smarty::SMARTY_VERSION wasn’t updated https://github.com/smarty-php/smarty/issues/628

[3.1.37] – 2021-01-07

Changed

Changed error handlers and handling of undefined constants for php8-compatibility (set $errcontext argument optional) https://github.com/smarty-php/smarty/issues/605
Changed expected error levels in unit tests for php8-compatibility
Travis unit tests now run for all php versions >= 5.3, including php8
Travis runs on Xenial where possible

Fixed

PHP5.3 compatibility fixes
Brought lexer source functionally up-to-date with compiled version

[3.1.36] – 2020-04-14

Fixed

Smarty::SMARTY_VERSION wasn’t updated in v3.1.35 https://github.com/smarty-php/smarty/issues/584

[3.1.35] – 2020-04-14

remove whitespaces after comments https://github.com/smarty-php/smarty/issues/447
fix foreachelse on arrayiterators https://github.com/smarty-php/smarty/issues/506
fix files contained in git export archive for package maintainers https://github.com/smarty-php/smarty/issues/325
throw SmartyException when setting caching attributes for cacheable plugin https://github.com/smarty-php/smarty/issues/457
fix errors that occured where isset was replaced with null check such as https://github.com/smarty-php/smarty/issues/453
unit tests are now in the repository

3.1.34 release – 05.11.2019

13.01.2020
– fix typo in exception message (JercSi)
– fix typehint warning with callable (bets4breakfast)
– add travis badge and compatability info to readme (matks)
– fix stdClass cast when compiling foreach (carpii)
– fix wrong set/get methods for memcached (IT-Experte)
– fix pborm assigning value to object variables in smarty_internal_compile_assign (Hunman)
– exclude error_reporting.ini from git export (glensc)

3.1.34-dev-6 –

30.10.2018
– bugfix a nested subblock in an inheritance child template was not replace by
outer level block with same name in same child template https://github.com/smarty-php/smarty/issues/500

29.10.2018
– bugfix Smarty::$php_handling == PHP_PASSTHRU (default) did eat the “n” (newline) character if it did directly followed
a PHP tag like “?>” or other https://github.com/smarty-php/smarty/issues/501

14.10.2018
– bugfix autoloader exit shortcut https://github.com/smarty-php/smarty/issues/467

11.10.2018
– bugfix {insert} not works when caching is enabled and included template is present
https://github.com/smarty-php/smarty/issues/496
– bugfix in date-format modifier; NULL at date string or default_date did not produce correct output
https://github.com/smarty-php/smarty/pull/458

09.10.2018
– bugfix fix of 26.8.2017 https://github.com/smarty-php/smarty/issues/327
modifier is applied to sum expression https://github.com/smarty-php/smarty/issues/491
– bugfix indexed arrays could not be defined “array(…)””

18.09.2018
– bugfix large plain text template sections without a Smarty tag > 700kB could
could fail in version 3.1.32 and 3.1.33 because PHP preg_match() restrictions
https://github.com/smarty-php/smarty/issues/488

Read More

The Mikrotik RouterOS web server allows memory corruption in releases before Stable 6.38.5 and Long-term 6.37.5, aka Chimay-Red. A remote and unauthenticated user can trigger the vulnerability by sending a crafted HTTP request. An attacker can use this vulnerability to execute arbitrary code on the affected system, as exploited in the wild in mid-2017 and later.

Read More

Multiple security issues were found in Django, a Python web development
framework, which could result in denial of service, SQL injection or
cross-site scripting.

Read More

FEDORA-2022-4c634ee466

Packages in this update:

ckeditor-4.20.0-1.fc37

Update description:

CKEditor 4.20

New Features:

#5084: Added the config.tabletools_scopedHeaders configuration option controlling the behaviour of table headers with and without the [scope] attribute.
#5219: Added the config.image2_defaultLockRatio configuration option allowing to set the default value of the “Lock ratio” option in the Enhanced Image dialog.
#2008: Extended the Mentions and Emoji plugins with a feature option that adds a space after an accepted autocompletion match. See:
configDefinition.followingSpace option for the mentions plugin, and
config.emoji_followingSpace option for the emoji plugin.

#5215: Added the config.coreStyles_toggleSubSup configuration option which disallows setting the subscript and superscript on the same element simultaneously using UI buttons. This option is turned off by default.

Fixed Issues:

#4889: Fixed: Incorrect position of the Table Resize cursor after scrolling the editor horizontally.
#5319: Fixed: Autolink config.autolink_urlRegex option produced invalid links when configured directly using the editor instance config. Thanks to Aigars Zeiza!
#4941: Fixed: Some entities got wrongly encoded when using entities_processNumerical = true configuration option.
#4931: Fixed: Selecting the whole editor content when there is only a list with an empty element at the end inside and deleting it did not delete all list items.

API changes:

#5122: Added the ability to provide a list of buttons as an array to the config.removeButtons config variable.
#2008: Added Autocomplete followingSpace option that finishes an accepted match with a space.

CKEditor 4.19.1

Fixed Issues:

#5125: Fixed: Deleting a widget with disabled autoParagraph by the keyboard backspace key removes the editor editable area and crashes the editor.
#5135: Fixed: The checkbox.setValue and radio.setValue methods are not chainable as stated in the documentation. Thanks to Jordan Bradford!
#5085: Fixed: The Language plugin removes the element marking the text in foreign language if said element does not have an information about the text direction.
#4284: Fixed: Tableselection Merging cells with a rowspan throws an unexpected error and does not create an undo step.
#5184: Fixed: The Editor Placeholder plugin degrades typing performance.
#5158: Fixed: CKEDITOR.tools#convertToPx() gives invalid results if the helper calculator element was deleted from the DOM.
#5234: Fixed: Easy Image doesn’t allow to upload images files using toolbar button.
#438: Fixed: It is impossible to navigate to the elementspath from the toolbar by keyboard and vice versa.
#4449: Fixed: dialog.validate#functions incorrectly composes functions that return an optional error message, like e.g. dialog.validate.number due to unnecessary return type coercion.
#4473: Fixed: The dialog.validate method does not accept parameter value. The issue originated in dialog.validate.functions method that did not properly propagate parameter value to validator. Affected validators:
functions
equals
notEqual
cssLength
htmlLength
inlineStyle

#5147: Fixed: The Accessibility Help dialog does not contain info about focus being moved back to the editing area upon leaving dialogs.
#5144: Fixed: Menu buttons and panel buttons incorrectly indicate the open status of their associated pop-up menus in the browser’s accessibility tree.
#5022: Fixed: Find and Replace does not respond to the Enter key.

API changes:

#5184: Added the config.editorplaceholder_delay configuration option allowing to delay placeholder before it is toggled when changing editor content.
#5184: Added the CKEDITOR.tools#debounce() function allowing to postpone a passed function execution until the given milliseconds have elapsed since the last time it was invoked.

CKEditor 4.19.0

New features:

#2444: Togglable toolbar buttons are now exposed as toggle buttons in the browser’s accessibility tree.
#4641: Added an option allowing to cancel the Delayed Editor Creation feature as a function handle for editor creators (CKEDITOR.replace, CKEDITOR.inline, CKEDITOR.appendTo).
#4986: Added config.shiftLineBreaks allowing to preserve inline elements formatting when the shift+enter keystroke is used.
#2445: Added config.applicationTitle configuration option allowing to customize or disable the editor’s application region label. This option, combined with config.title, gives much better control over the editor’s labels read by screen readers.

Fixed Issues:

#4543: Fixed: Toolbar buttons toggle state is not correctly announced by screen readers lacking the information whether the feature is on or off.
#4052: Fixed: Editor labels are read incorrectly by screen readers due to invalid editor control type for the Iframe Editing Area editors.
#1904: Fixed: Screen readers are not announcing the read-only editor state.
#4904: Fixed: Table cell selection and navigation with the tab key behavior is inconsistent after adding a new row.
#3394: Fixed: Enhanced image plugin dialog is not supporting URL with query string parameters. Thanks to Simon Urli!
#5049: Fixed: The editor fails in strict mode due to not following the use strict directives in a core editor module.
#5095: Fixed: The clipboard plugin shows notification about unsupported file format when the file type is different than jpg, gif, png, not respecting supported types by the Upload Widget plugin.
#4855: [iOS] Fixed: Focusing toolbar buttons with an enabled VoiceOver screen reader moves the browser focus into an editable area and interrupts button functionality.

API changes:

#4641: The CKEDITOR.replace, CKEDITOR.inline, CKEDITOR.appendTo functions are now returning a handle function allowing to cancel the Delayed Editor Creation feature.
#5095: Added the CKEDITOR.plugins.clipboard.addFileMatcher function allowing to define file formats supported by the clipboard plugin. Trying to paste unsupported files will result in a notification that a file cannot be dropped or pasted into the editor.
#2445: Added config.applicationTitle alongside CKEDITOR.editor#applicationTitle to allow customizing editor’s application region label.

CKEditor 4.18.0

Security Updates:

Fixed an XSS vulnerability in the core module reported by GitHub Security Lab team member Kevin Backhouse.

Issue summary: The vulnerability allowed to inject malformed HTML bypassing content sanitization, which could result in executing a JavaScript code. See CVE-2022-24728 for more details.

Fixed a Regular expression Denial of Service (ReDoS) vulnerability in dialog plugin discovered by the CKEditor 4 team during our regular security audit.

Issue summary: The vulnerability allowed to abuse a dialog input validator regular expression, which could cause a significant performance drop resulting in a browser tab freeze. See CVE-2022-24729 for more details.

You can read more details in the relevant security advisory and contact us if you have more questions.

An upgrade is highly recommended!

Highlights:

Web Spell Checker ended support for WebSpellChecker Dialog on December 31st, 2021. This means the plugin is not supported any longer. Therefore, we decided to deprecate and remove the WebSpellChecker Dialog plugin from CKEditor 4 presets.

We strongly encourage everyone to choose one of the other available spellchecking solutions – Spell Check As You Type (SCAYT) or WProofreader.

Fixed issues:

#5097: [Chrome] Fixed: Incorrect conversion of points to pixels while using CKEDITOR.tools.convertToPx().
#5044: Fixed: select elements with multiple attribute had incorrect styling. Thanks to John R. D’Orazio!

Other changes:

#5093: Deprecated and removed WebSpellChecker Dialog from presets.
#5127: Deprecated the CKEDITOR.rnd property to discourage using it in a security-sensitive context.
#5087: Improved the jQuery adapter by replacing a deprecated jQuery API with existing counterparts. Thanks to Fran Boon!
#5128: Improved the Emoji definitions encoding set by the config.emoji_emojiListUrl configuration option.

CKEditor 4.17.2

Fixed issues:

#4934: Fixed: Active focus in dialog tabs is not visible in the High Contrast mode.
#547: Fixed: Dragging and dropping elements like images within a table is no longer available.
#4875: Fixed: It is not possible to delete multiple selected lists.
#4873: Fixed: Pasting content from MS Word and Outlook with horizontal lines prevents images from being uploaded.
#4952: Fixed: Dragging and dropping images within a table cell appends additional elements.
#4761: Fixed: Some CSS files are missing unique timestamp used to prevent browser to cache static resources between editor releases.
#4987: Fixed: Find/Replace is not recognizing more than one space character.
#5061: Fixed: Find/Replace plugin incorrectly handles multiple whitespace during replacing text.
#5004: Fixed: MutationObserver used in IFrame Editing Area plugin causes memory leaks.
#4994: Fixed: Easy Image plugin caused content pasted from Word to turn into an image.

API changes:

#4918: Explicitly set the config.useComputedState default value to true. Thanks to Shabab Karim!
#4761: The CKEDITOR.appendTimestamp() function was added.
#4761: CKEDITOR.dom.document#appendStyleSheet() and CKEDITOR.tools.buildStyleHtml() now use the newly added CKEDITOR.appendTimestamp() function to correctly handle caching of CSS files.

Other changes:

#5014: Fixed: Toolbar configurator fails when plugin does not define a toolbar group. Thanks to SuperPat!

CKEditor 4.17.1

Highlights:

Due to a regression in CKEeditor 4.17.0 version that was only revealed after the release and affected a limited area of operation, CSS assets loaded via relative links started to point into invalid location when loaded from external resources.

We have therefore decided to immediately release CKEditor 4.17.1 that fixed this problem. If you have already upgraded to v4.17.0, make sure to upgrade to v4.17.1 to avoid this regression.

Fixed issues:

#4979: Fixed: Added cache key in #4761 started to breaking relative links for external CSS resources. The fix has been reverted and will be corrected in the next editor version.

CKEditor 4.17

Security Updates:

Fixed XSS vulnerability in the core module reported by William Bowling.

Issue summary: The vulnerability allowed to inject malformed comments HTML bypassing content sanitization, which could result in executing JavaScript code. See CVE-2021-41165 for more details.

Fixed XSS vulnerability in the core module reported by Maurice Dauer.

Issue summary: The vulnerability allowed to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. See CVE-2021-41164 for more details.

You can read more details in the relevant security advisory and contact us if you have more questions.

An upgrade is highly recommended!

Highlights:

Adobe ended support of Flash Player on December 31, 2020 and blocked Flash content from running in Flash Player beginning January 12, 2021.
We have decided to deprecate and remove the Flash plugin from CKEditor 4 to help protect users’ systems and discourage using insecure software.

New Features:

#3433: Marked required fields in dialogs with asterisk (*) symbol.
#4374: Integrated the Maximize plugin with browser’s History API.
#4461: Introduced the possibility to delay editor initialization while it is in a detached DOM element.
#4462: Introduced support for reattaching editor container element to DOM.
#4612: Allow pasting images as Base64 from clipboard in all browsers except IE.
#4681: Allow drag and drop images as Base64.
#4750: Added notification for pasting and dropping unsupported file types into the editor.
#4807: [Chrome] Improved the performance of pasting large images. Thanks to FlowIT-JIT!
#4850: Added support for loading content templates from HTML files. Thanks to Fynn96!
#4874: Added the config.clipboard_handleImages configuration option for enabling and disabling built-in support for pasting and dropping images in the Clipboard plugin. Thanks to FlowIT-JIT!
#4026: Preview plugin now uses the editor#title property for the title of the preview window. Thanks to Ely!
#4467: Added support for inserting content next to a block widgets using keyboard navigation. Thanks to bunglegrind!

Fixed Issues:

#3757: [Firefox] Fixed: images pasted from clipboard are not inserted as Base64-encoded images.
#3876: Fixed: The Print plugin incorrectly prints links and images.
#4444: [Firefox] Fixed: Print preview is incorrectly loaded from CDN.
#4596: Fixed: Incorrect handling of HSL/HSLA values in CKEDITOR.tools.color.
#4597: Fixed: Incorrect color conversion for HSL/HSLA values in CKEDITOR.tools.color.
#4604: Fixed: CKEDITOR.plugins.clipboard.dataTransfer#getTypes() returns no types.
#4761: Fixed: Not all resources loaded by the editor respect the cache key.
#4783: Fixed: The Accessibility Help dialog does not contain info about focus being moved back to the editing area upon activating a toolbar button.
#4790: Fixed: Printing page is invoked before the printed page is fully loaded.
#4874: Fixed: Built-in support for pasting and dropping images in the Clipboard plugin restricts third party plugins from handling image pasting. Thanks to FlowIT-JIT!
#4888: Fixed: The CKEDITOR.dialog#setState() method throws error when there is no “OK” button in the dialog.
#4858: Fixed: The Autolink plugin incorrectly escapes the & characters when pasting links into the editor.
#4892: Fixed: Focus of buttons in dialogs is not visible enough in High Contrast mode.
#3858: Fixed: Pasting content in ENTER_BR enter mode crashes the editor.
#4891: Fixed: The Autogrow plugin applies fixed width to the editor.

API Changes:

#4462: CKEDITOR.editor#getSelection() now returns null if the editor is in recreating state.
#4583: Added support for new, comma-less color syntax to CKEDITOR.tools.color.
#4604: Added the CKEDITOR.plugins.clipboard.dataTransfer#isFileTransfer() method.
#4790: Added callback parameter to CKEDITOR.plugins.preview#createPreview() method.

Other Changes:

#4866: The Flash plugin is now deprecated and has been removed from CKEditor 4.
#4901: Redesigned buttons placement in the Content templates dialog to make it more UX friendly. Thanks to Fynn96!

Read More

FEDORA-EPEL-2022-473e5052db

Packages in this update:

ckeditor-4.20.0-1.el7

Update description:

CKEditor 4.20

New Features:

#5084: Added the config.tabletools_scopedHeaders configuration option controlling the behaviour of table headers with and without the [scope] attribute.
#5219: Added the config.image2_defaultLockRatio configuration option allowing to set the default value of the “Lock ratio” option in the Enhanced Image dialog.
#2008: Extended the Mentions and Emoji plugins with a feature option that adds a space after an accepted autocompletion match. See:
configDefinition.followingSpace option for the mentions plugin, and
config.emoji_followingSpace option for the emoji plugin.

#5215: Added the config.coreStyles_toggleSubSup configuration option which disallows setting the subscript and superscript on the same element simultaneously using UI buttons. This option is turned off by default.

Fixed Issues:

#4889: Fixed: Incorrect position of the Table Resize cursor after scrolling the editor horizontally.
#5319: Fixed: Autolink config.autolink_urlRegex option produced invalid links when configured directly using the editor instance config. Thanks to Aigars Zeiza!
#4941: Fixed: Some entities got wrongly encoded when using entities_processNumerical = true configuration option.
#4931: Fixed: Selecting the whole editor content when there is only a list with an empty element at the end inside and deleting it did not delete all list items.

API changes:

#5122: Added the ability to provide a list of buttons as an array to the config.removeButtons config variable.
#2008: Added Autocomplete followingSpace option that finishes an accepted match with a space.

CKEditor 4.19.1

Fixed Issues:

#5125: Fixed: Deleting a widget with disabled autoParagraph by the keyboard backspace key removes the editor editable area and crashes the editor.
#5135: Fixed: The checkbox.setValue and radio.setValue methods are not chainable as stated in the documentation. Thanks to Jordan Bradford!
#5085: Fixed: The Language plugin removes the element marking the text in foreign language if said element does not have an information about the text direction.
#4284: Fixed: Tableselection Merging cells with a rowspan throws an unexpected error and does not create an undo step.
#5184: Fixed: The Editor Placeholder plugin degrades typing performance.
#5158: Fixed: CKEDITOR.tools#convertToPx() gives invalid results if the helper calculator element was deleted from the DOM.
#5234: Fixed: Easy Image doesn’t allow to upload images files using toolbar button.
#438: Fixed: It is impossible to navigate to the elementspath from the toolbar by keyboard and vice versa.
#4449: Fixed: dialog.validate#functions incorrectly composes functions that return an optional error message, like e.g. dialog.validate.number due to unnecessary return type coercion.
#4473: Fixed: The dialog.validate method does not accept parameter value. The issue originated in dialog.validate.functions method that did not properly propagate parameter value to validator. Affected validators:
functions
equals
notEqual
cssLength
htmlLength
inlineStyle

#5147: Fixed: The Accessibility Help dialog does not contain info about focus being moved back to the editing area upon leaving dialogs.
#5144: Fixed: Menu buttons and panel buttons incorrectly indicate the open status of their associated pop-up menus in the browser’s accessibility tree.
#5022: Fixed: Find and Replace does not respond to the Enter key.

API changes:

#5184: Added the config.editorplaceholder_delay configuration option allowing to delay placeholder before it is toggled when changing editor content.
#5184: Added the CKEDITOR.tools#debounce() function allowing to postpone a passed function execution until the given milliseconds have elapsed since the last time it was invoked.

CKEditor 4.19.0

New features:

#2444: Togglable toolbar buttons are now exposed as toggle buttons in the browser’s accessibility tree.
#4641: Added an option allowing to cancel the Delayed Editor Creation feature as a function handle for editor creators (CKEDITOR.replace, CKEDITOR.inline, CKEDITOR.appendTo).
#4986: Added config.shiftLineBreaks allowing to preserve inline elements formatting when the shift+enter keystroke is used.
#2445: Added config.applicationTitle configuration option allowing to customize or disable the editor’s application region label. This option, combined with config.title, gives much better control over the editor’s labels read by screen readers.

Fixed Issues:

#4543: Fixed: Toolbar buttons toggle state is not correctly announced by screen readers lacking the information whether the feature is on or off.
#4052: Fixed: Editor labels are read incorrectly by screen readers due to invalid editor control type for the Iframe Editing Area editors.
#1904: Fixed: Screen readers are not announcing the read-only editor state.
#4904: Fixed: Table cell selection and navigation with the tab key behavior is inconsistent after adding a new row.
#3394: Fixed: Enhanced image plugin dialog is not supporting URL with query string parameters. Thanks to Simon Urli!
#5049: Fixed: The editor fails in strict mode due to not following the use strict directives in a core editor module.
#5095: Fixed: The clipboard plugin shows notification about unsupported file format when the file type is different than jpg, gif, png, not respecting supported types by the Upload Widget plugin.
#4855: [iOS] Fixed: Focusing toolbar buttons with an enabled VoiceOver screen reader moves the browser focus into an editable area and interrupts button functionality.

API changes:

#4641: The CKEDITOR.replace, CKEDITOR.inline, CKEDITOR.appendTo functions are now returning a handle function allowing to cancel the Delayed Editor Creation feature.
#5095: Added the CKEDITOR.plugins.clipboard.addFileMatcher function allowing to define file formats supported by the clipboard plugin. Trying to paste unsupported files will result in a notification that a file cannot be dropped or pasted into the editor.
#2445: Added config.applicationTitle alongside CKEDITOR.editor#applicationTitle to allow customizing editor’s application region label.

CKEditor 4.18.0

Security Updates:

Fixed an XSS vulnerability in the core module reported by GitHub Security Lab team member Kevin Backhouse.

Issue summary: The vulnerability allowed to inject malformed HTML bypassing content sanitization, which could result in executing a JavaScript code. See CVE-2022-24728 for more details.

Fixed a Regular expression Denial of Service (ReDoS) vulnerability in dialog plugin discovered by the CKEditor 4 team during our regular security audit.

Issue summary: The vulnerability allowed to abuse a dialog input validator regular expression, which could cause a significant performance drop resulting in a browser tab freeze. See CVE-2022-24729 for more details.

You can read more details in the relevant security advisory and contact us if you have more questions.

An upgrade is highly recommended!

Highlights:

Web Spell Checker ended support for WebSpellChecker Dialog on December 31st, 2021. This means the plugin is not supported any longer. Therefore, we decided to deprecate and remove the WebSpellChecker Dialog plugin from CKEditor 4 presets.

We strongly encourage everyone to choose one of the other available spellchecking solutions – Spell Check As You Type (SCAYT) or WProofreader.

Fixed issues:

#5097: [Chrome] Fixed: Incorrect conversion of points to pixels while using CKEDITOR.tools.convertToPx().
#5044: Fixed: select elements with multiple attribute had incorrect styling. Thanks to John R. D’Orazio!

Other changes:

#5093: Deprecated and removed WebSpellChecker Dialog from presets.
#5127: Deprecated the CKEDITOR.rnd property to discourage using it in a security-sensitive context.
#5087: Improved the jQuery adapter by replacing a deprecated jQuery API with existing counterparts. Thanks to Fran Boon!
#5128: Improved the Emoji definitions encoding set by the config.emoji_emojiListUrl configuration option.

CKEditor 4.17.2

Fixed issues:

#4934: Fixed: Active focus in dialog tabs is not visible in the High Contrast mode.
#547: Fixed: Dragging and dropping elements like images within a table is no longer available.
#4875: Fixed: It is not possible to delete multiple selected lists.
#4873: Fixed: Pasting content from MS Word and Outlook with horizontal lines prevents images from being uploaded.
#4952: Fixed: Dragging and dropping images within a table cell appends additional elements.
#4761: Fixed: Some CSS files are missing unique timestamp used to prevent browser to cache static resources between editor releases.
#4987: Fixed: Find/Replace is not recognizing more than one space character.
#5061: Fixed: Find/Replace plugin incorrectly handles multiple whitespace during replacing text.
#5004: Fixed: MutationObserver used in IFrame Editing Area plugin causes memory leaks.
#4994: Fixed: Easy Image plugin caused content pasted from Word to turn into an image.

API changes:

#4918: Explicitly set the config.useComputedState default value to true. Thanks to Shabab Karim!
#4761: The CKEDITOR.appendTimestamp() function was added.
#4761: CKEDITOR.dom.document#appendStyleSheet() and CKEDITOR.tools.buildStyleHtml() now use the newly added CKEDITOR.appendTimestamp() function to correctly handle caching of CSS files.

Other changes:

#5014: Fixed: Toolbar configurator fails when plugin does not define a toolbar group. Thanks to SuperPat!

CKEditor 4.17.1

Highlights:

Due to a regression in CKEeditor 4.17.0 version that was only revealed after the release and affected a limited area of operation, CSS assets loaded via relative links started to point into invalid location when loaded from external resources.

We have therefore decided to immediately release CKEditor 4.17.1 that fixed this problem. If you have already upgraded to v4.17.0, make sure to upgrade to v4.17.1 to avoid this regression.

Fixed issues:

#4979: Fixed: Added cache key in #4761 started to breaking relative links for external CSS resources. The fix has been reverted and will be corrected in the next editor version.

CKEditor 4.17

Security Updates:

Fixed XSS vulnerability in the core module reported by William Bowling.

Issue summary: The vulnerability allowed to inject malformed comments HTML bypassing content sanitization, which could result in executing JavaScript code. See CVE-2021-41165 for more details.

Fixed XSS vulnerability in the core module reported by Maurice Dauer.

Issue summary: The vulnerability allowed to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. See CVE-2021-41164 for more details.

You can read more details in the relevant security advisory and contact us if you have more questions.

An upgrade is highly recommended!

Highlights:

Adobe ended support of Flash Player on December 31, 2020 and blocked Flash content from running in Flash Player beginning January 12, 2021.
We have decided to deprecate and remove the Flash plugin from CKEditor 4 to help protect users’ systems and discourage using insecure software.

New Features:

#3433: Marked required fields in dialogs with asterisk (*) symbol.
#4374: Integrated the Maximize plugin with browser’s History API.
#4461: Introduced the possibility to delay editor initialization while it is in a detached DOM element.
#4462: Introduced support for reattaching editor container element to DOM.
#4612: Allow pasting images as Base64 from clipboard in all browsers except IE.
#4681: Allow drag and drop images as Base64.
#4750: Added notification for pasting and dropping unsupported file types into the editor.
#4807: [Chrome] Improved the performance of pasting large images. Thanks to FlowIT-JIT!
#4850: Added support for loading content templates from HTML files. Thanks to Fynn96!
#4874: Added the config.clipboard_handleImages configuration option for enabling and disabling built-in support for pasting and dropping images in the Clipboard plugin. Thanks to FlowIT-JIT!
#4026: Preview plugin now uses the editor#title property for the title of the preview window. Thanks to Ely!
#4467: Added support for inserting content next to a block widgets using keyboard navigation. Thanks to bunglegrind!

Fixed Issues:

#3757: [Firefox] Fixed: images pasted from clipboard are not inserted as Base64-encoded images.
#3876: Fixed: The Print plugin incorrectly prints links and images.
#4444: [Firefox] Fixed: Print preview is incorrectly loaded from CDN.
#4596: Fixed: Incorrect handling of HSL/HSLA values in CKEDITOR.tools.color.
#4597: Fixed: Incorrect color conversion for HSL/HSLA values in CKEDITOR.tools.color.
#4604: Fixed: CKEDITOR.plugins.clipboard.dataTransfer#getTypes() returns no types.
#4761: Fixed: Not all resources loaded by the editor respect the cache key.
#4783: Fixed: The Accessibility Help dialog does not contain info about focus being moved back to the editing area upon activating a toolbar button.
#4790: Fixed: Printing page is invoked before the printed page is fully loaded.
#4874: Fixed: Built-in support for pasting and dropping images in the Clipboard plugin restricts third party plugins from handling image pasting. Thanks to FlowIT-JIT!
#4888: Fixed: The CKEDITOR.dialog#setState() method throws error when there is no “OK” button in the dialog.
#4858: Fixed: The Autolink plugin incorrectly escapes the & characters when pasting links into the editor.
#4892: Fixed: Focus of buttons in dialogs is not visible enough in High Contrast mode.
#3858: Fixed: Pasting content in ENTER_BR enter mode crashes the editor.
#4891: Fixed: The Autogrow plugin applies fixed width to the editor.

API Changes:

#4462: CKEDITOR.editor#getSelection() now returns null if the editor is in recreating state.
#4583: Added support for new, comma-less color syntax to CKEDITOR.tools.color.
#4604: Added the CKEDITOR.plugins.clipboard.dataTransfer#isFileTransfer() method.
#4790: Added callback parameter to CKEDITOR.plugins.preview#createPreview() method.

Other Changes:

#4866: The Flash plugin is now deprecated and has been removed from CKEditor 4.
#4901: Redesigned buttons placement in the Content templates dialog to make it more UX friendly. Thanks to Fynn96!

Read More

FEDORA-2022-b61dfd219b

Packages in this update:

ckeditor-4.20.0-1.fc36

Update description:

CKEditor 4.20

New Features:

#5084: Added the config.tabletools_scopedHeaders configuration option controlling the behaviour of table headers with and without the [scope] attribute.
#5219: Added the config.image2_defaultLockRatio configuration option allowing to set the default value of the “Lock ratio” option in the Enhanced Image dialog.
#2008: Extended the Mentions and Emoji plugins with a feature option that adds a space after an accepted autocompletion match. See:
configDefinition.followingSpace option for the mentions plugin, and
config.emoji_followingSpace option for the emoji plugin.

#5215: Added the config.coreStyles_toggleSubSup configuration option which disallows setting the subscript and superscript on the same element simultaneously using UI buttons. This option is turned off by default.

Fixed Issues:

#4889: Fixed: Incorrect position of the Table Resize cursor after scrolling the editor horizontally.
#5319: Fixed: Autolink config.autolink_urlRegex option produced invalid links when configured directly using the editor instance config. Thanks to Aigars Zeiza!
#4941: Fixed: Some entities got wrongly encoded when using entities_processNumerical = true configuration option.
#4931: Fixed: Selecting the whole editor content when there is only a list with an empty element at the end inside and deleting it did not delete all list items.

API changes:

#5122: Added the ability to provide a list of buttons as an array to the config.removeButtons config variable.
#2008: Added Autocomplete followingSpace option that finishes an accepted match with a space.

CKEditor 4.19.1

Fixed Issues:

#5125: Fixed: Deleting a widget with disabled autoParagraph by the keyboard backspace key removes the editor editable area and crashes the editor.
#5135: Fixed: The checkbox.setValue and radio.setValue methods are not chainable as stated in the documentation. Thanks to Jordan Bradford!
#5085: Fixed: The Language plugin removes the element marking the text in foreign language if said element does not have an information about the text direction.
#4284: Fixed: Tableselection Merging cells with a rowspan throws an unexpected error and does not create an undo step.
#5184: Fixed: The Editor Placeholder plugin degrades typing performance.
#5158: Fixed: CKEDITOR.tools#convertToPx() gives invalid results if the helper calculator element was deleted from the DOM.
#5234: Fixed: Easy Image doesn’t allow to upload images files using toolbar button.
#438: Fixed: It is impossible to navigate to the elementspath from the toolbar by keyboard and vice versa.
#4449: Fixed: dialog.validate#functions incorrectly composes functions that return an optional error message, like e.g. dialog.validate.number due to unnecessary return type coercion.
#4473: Fixed: The dialog.validate method does not accept parameter value. The issue originated in dialog.validate.functions method that did not properly propagate parameter value to validator. Affected validators:
functions
equals
notEqual
cssLength
htmlLength
inlineStyle

#5147: Fixed: The Accessibility Help dialog does not contain info about focus being moved back to the editing area upon leaving dialogs.
#5144: Fixed: Menu buttons and panel buttons incorrectly indicate the open status of their associated pop-up menus in the browser’s accessibility tree.
#5022: Fixed: Find and Replace does not respond to the Enter key.

API changes:

#5184: Added the config.editorplaceholder_delay configuration option allowing to delay placeholder before it is toggled when changing editor content.
#5184: Added the CKEDITOR.tools#debounce() function allowing to postpone a passed function execution until the given milliseconds have elapsed since the last time it was invoked.

CKEditor 4.19.0

New features:

#2444: Togglable toolbar buttons are now exposed as toggle buttons in the browser’s accessibility tree.
#4641: Added an option allowing to cancel the Delayed Editor Creation feature as a function handle for editor creators (CKEDITOR.replace, CKEDITOR.inline, CKEDITOR.appendTo).
#4986: Added config.shiftLineBreaks allowing to preserve inline elements formatting when the shift+enter keystroke is used.
#2445: Added config.applicationTitle configuration option allowing to customize or disable the editor’s application region label. This option, combined with config.title, gives much better control over the editor’s labels read by screen readers.

Fixed Issues:

#4543: Fixed: Toolbar buttons toggle state is not correctly announced by screen readers lacking the information whether the feature is on or off.
#4052: Fixed: Editor labels are read incorrectly by screen readers due to invalid editor control type for the Iframe Editing Area editors.
#1904: Fixed: Screen readers are not announcing the read-only editor state.
#4904: Fixed: Table cell selection and navigation with the tab key behavior is inconsistent after adding a new row.
#3394: Fixed: Enhanced image plugin dialog is not supporting URL with query string parameters. Thanks to Simon Urli!
#5049: Fixed: The editor fails in strict mode due to not following the use strict directives in a core editor module.
#5095: Fixed: The clipboard plugin shows notification about unsupported file format when the file type is different than jpg, gif, png, not respecting supported types by the Upload Widget plugin.
#4855: [iOS] Fixed: Focusing toolbar buttons with an enabled VoiceOver screen reader moves the browser focus into an editable area and interrupts button functionality.

API changes:

#4641: The CKEDITOR.replace, CKEDITOR.inline, CKEDITOR.appendTo functions are now returning a handle function allowing to cancel the Delayed Editor Creation feature.
#5095: Added the CKEDITOR.plugins.clipboard.addFileMatcher function allowing to define file formats supported by the clipboard plugin. Trying to paste unsupported files will result in a notification that a file cannot be dropped or pasted into the editor.
#2445: Added config.applicationTitle alongside CKEDITOR.editor#applicationTitle to allow customizing editor’s application region label.

CKEditor 4.18.0

Security Updates:

Fixed an XSS vulnerability in the core module reported by GitHub Security Lab team member Kevin Backhouse.

Issue summary: The vulnerability allowed to inject malformed HTML bypassing content sanitization, which could result in executing a JavaScript code. See CVE-2022-24728 for more details.

Fixed a Regular expression Denial of Service (ReDoS) vulnerability in dialog plugin discovered by the CKEditor 4 team during our regular security audit.

Issue summary: The vulnerability allowed to abuse a dialog input validator regular expression, which could cause a significant performance drop resulting in a browser tab freeze. See CVE-2022-24729 for more details.

You can read more details in the relevant security advisory and contact us if you have more questions.

An upgrade is highly recommended!

Highlights:

Web Spell Checker ended support for WebSpellChecker Dialog on December 31st, 2021. This means the plugin is not supported any longer. Therefore, we decided to deprecate and remove the WebSpellChecker Dialog plugin from CKEditor 4 presets.

We strongly encourage everyone to choose one of the other available spellchecking solutions – Spell Check As You Type (SCAYT) or WProofreader.

Fixed issues:

#5097: [Chrome] Fixed: Incorrect conversion of points to pixels while using CKEDITOR.tools.convertToPx().
#5044: Fixed: select elements with multiple attribute had incorrect styling. Thanks to John R. D’Orazio!

Other changes:

#5093: Deprecated and removed WebSpellChecker Dialog from presets.
#5127: Deprecated the CKEDITOR.rnd property to discourage using it in a security-sensitive context.
#5087: Improved the jQuery adapter by replacing a deprecated jQuery API with existing counterparts. Thanks to Fran Boon!
#5128: Improved the Emoji definitions encoding set by the config.emoji_emojiListUrl configuration option.

CKEditor 4.17.2

Fixed issues:

#4934: Fixed: Active focus in dialog tabs is not visible in the High Contrast mode.
#547: Fixed: Dragging and dropping elements like images within a table is no longer available.
#4875: Fixed: It is not possible to delete multiple selected lists.
#4873: Fixed: Pasting content from MS Word and Outlook with horizontal lines prevents images from being uploaded.
#4952: Fixed: Dragging and dropping images within a table cell appends additional elements.
#4761: Fixed: Some CSS files are missing unique timestamp used to prevent browser to cache static resources between editor releases.
#4987: Fixed: Find/Replace is not recognizing more than one space character.
#5061: Fixed: Find/Replace plugin incorrectly handles multiple whitespace during replacing text.
#5004: Fixed: MutationObserver used in IFrame Editing Area plugin causes memory leaks.
#4994: Fixed: Easy Image plugin caused content pasted from Word to turn into an image.

API changes:

#4918: Explicitly set the config.useComputedState default value to true. Thanks to Shabab Karim!
#4761: The CKEDITOR.appendTimestamp() function was added.
#4761: CKEDITOR.dom.document#appendStyleSheet() and CKEDITOR.tools.buildStyleHtml() now use the newly added CKEDITOR.appendTimestamp() function to correctly handle caching of CSS files.

Other changes:

#5014: Fixed: Toolbar configurator fails when plugin does not define a toolbar group. Thanks to SuperPat!

CKEditor 4.17.1

Highlights:

Due to a regression in CKEeditor 4.17.0 version that was only revealed after the release and affected a limited area of operation, CSS assets loaded via relative links started to point into invalid location when loaded from external resources.

We have therefore decided to immediately release CKEditor 4.17.1 that fixed this problem. If you have already upgraded to v4.17.0, make sure to upgrade to v4.17.1 to avoid this regression.

Fixed issues:

#4979: Fixed: Added cache key in #4761 started to breaking relative links for external CSS resources. The fix has been reverted and will be corrected in the next editor version.

CKEditor 4.17

Security Updates:

Fixed XSS vulnerability in the core module reported by William Bowling.

Issue summary: The vulnerability allowed to inject malformed comments HTML bypassing content sanitization, which could result in executing JavaScript code. See CVE-2021-41165 for more details.

Fixed XSS vulnerability in the core module reported by Maurice Dauer.

Issue summary: The vulnerability allowed to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. See CVE-2021-41164 for more details.

You can read more details in the relevant security advisory and contact us if you have more questions.

An upgrade is highly recommended!

Highlights:

Adobe ended support of Flash Player on December 31, 2020 and blocked Flash content from running in Flash Player beginning January 12, 2021.
We have decided to deprecate and remove the Flash plugin from CKEditor 4 to help protect users’ systems and discourage using insecure software.

New Features:

#3433: Marked required fields in dialogs with asterisk (*) symbol.
#4374: Integrated the Maximize plugin with browser’s History API.
#4461: Introduced the possibility to delay editor initialization while it is in a detached DOM element.
#4462: Introduced support for reattaching editor container element to DOM.
#4612: Allow pasting images as Base64 from clipboard in all browsers except IE.
#4681: Allow drag and drop images as Base64.
#4750: Added notification for pasting and dropping unsupported file types into the editor.
#4807: [Chrome] Improved the performance of pasting large images. Thanks to FlowIT-JIT!
#4850: Added support for loading content templates from HTML files. Thanks to Fynn96!
#4874: Added the config.clipboard_handleImages configuration option for enabling and disabling built-in support for pasting and dropping images in the Clipboard plugin. Thanks to FlowIT-JIT!
#4026: Preview plugin now uses the editor#title property for the title of the preview window. Thanks to Ely!
#4467: Added support for inserting content next to a block widgets using keyboard navigation. Thanks to bunglegrind!

Fixed Issues:

#3757: [Firefox] Fixed: images pasted from clipboard are not inserted as Base64-encoded images.
#3876: Fixed: The Print plugin incorrectly prints links and images.
#4444: [Firefox] Fixed: Print preview is incorrectly loaded from CDN.
#4596: Fixed: Incorrect handling of HSL/HSLA values in CKEDITOR.tools.color.
#4597: Fixed: Incorrect color conversion for HSL/HSLA values in CKEDITOR.tools.color.
#4604: Fixed: CKEDITOR.plugins.clipboard.dataTransfer#getTypes() returns no types.
#4761: Fixed: Not all resources loaded by the editor respect the cache key.
#4783: Fixed: The Accessibility Help dialog does not contain info about focus being moved back to the editing area upon activating a toolbar button.
#4790: Fixed: Printing page is invoked before the printed page is fully loaded.
#4874: Fixed: Built-in support for pasting and dropping images in the Clipboard plugin restricts third party plugins from handling image pasting. Thanks to FlowIT-JIT!
#4888: Fixed: The CKEDITOR.dialog#setState() method throws error when there is no “OK” button in the dialog.
#4858: Fixed: The Autolink plugin incorrectly escapes the & characters when pasting links into the editor.
#4892: Fixed: Focus of buttons in dialogs is not visible enough in High Contrast mode.
#3858: Fixed: Pasting content in ENTER_BR enter mode crashes the editor.
#4891: Fixed: The Autogrow plugin applies fixed width to the editor.

API Changes:

#4462: CKEDITOR.editor#getSelection() now returns null if the editor is in recreating state.
#4583: Added support for new, comma-less color syntax to CKEDITOR.tools.color.
#4604: Added the CKEDITOR.plugins.clipboard.dataTransfer#isFileTransfer() method.
#4790: Added callback parameter to CKEDITOR.plugins.preview#createPreview() method.

Other Changes:

#4866: The Flash plugin is now deprecated and has been removed from CKEditor 4.
#4901: Redesigned buttons placement in the Content templates dialog to make it more UX friendly. Thanks to Fynn96!

Read More