Security Updates:
A cross-site scripting vulnerability has been discovered affecting Iframe Dialog and Media Embed plugins.
This vulnerability might affect a small percentage of integrators that depend on dynamic editor initialization/destroy mechanism. See GitHub advisory for more details.
Potential breaking changes
In some rare cases, a security release may introduce a breaking change to your application. We have provided configuration options that will help you mitigate any potential issues with the upgrade:
- Starting from version 4.21, the Iframe Dialog plugin applies the
sandbox
attribute by default, which restricts JavaScript code execution in the iframe element. To change this behavior, configure the config.iframe_attributes
option.
- Starting from version 4.21, the Media Embed plugin regenerates the entire content of the embed widget by default. To change this behavior, configure the
config.embed_keepOriginalContent
option.
If you choose to change either of the above options, make sure to properly configure Content Security Policy to avoid any potential security issues that may arise from embedding iframe elements on your web page.
You can read more details in the relevant security advisory and contact us if you have more questions.
An upgrade is highly recommended!
New Features:
Fixed Issues:
-
#5431: Fixed: No notification is shown when pasting or dropping unsupported image types into the editor.