CKEditor 4.4.6 with a Security Patch Released
We would like to announce the release of CKEditor 4.4.6 that contains some significant low-level editor core improvements, including issues related to selections and the styles system, and a variety of other fixes. This editor version also includes a security fix for the HTML parser, so an upgrade is highly recommended!
Security Issue Fixed
CKEditor 4.4.6 fixes an XSS vulnerability in the HTML parser reported by Maco Cortes and Evan Ricafort. The vulnerability stemmed from the fact that it was possible to execute XSS inside the CKEditor source area after persuading the victim to: (i) switch CKEditor to source mode, then (ii) paste a specially crafted HTML code, prepared by the attacker, into the opened CKEditor source area, and (iii) switch back to WYSIWYG mode. Although this is an unlikely scenario, we recommend to upgrade to the latest editor version.
Low-Level Core Improvements
Although this is a minor release, the development team has decided to work on a few significant improvements to CKEditor core. Tickets such as, for example, #12489, #12491 and #12630 improve how selection works in certain scenarios. At the same time #12621, #12688 and #12403 introduced changes to the styles system, fxing issues with removing inline styles from empty lines and nesting
<span> elements for font style changes. All such changes always come with some code refactoring in order to reduce its complexity as well as improve test coverage (CKEditor uses Bender.js as its testing tool), so we actually expect they should improve these core editor aspects, fix some similar issues and also make CKEditor output cleaner.
Minor release or not, CKEditor 4.4.6 includes two new features, too. Allowed content rules that are used in content filtering definitions now accept dashes in element names. Additionally, the HTML5
<main> element was added to
It has already become a custom to include some community work in latest CKEditor releases and this editor version is no different. Shaohua fixed an issue with pasting into inline editor in Safari if the page has
user-select: none style and Timselier provided a code fix for the content filter failing to remove custom tags. Thanks, guys!
Other fixes crafted by the core team include minor issues with events, cursor position or a DOM change outside of the editor under certain circumstances.
Check out the What's New? page for the full list of changes.
Please use the CKEditor Development website to report issues and suggestions through tickets.