CKEditor 4.4.6 with a Security Patch Released

We would like to announce the release of CKEditor 4.4.6 that contains some significant low-level editor core improvements, including issues related to selections and the styles system, and a variety of other fixes. This editor version also includes a security fix for the HTML parser, so an upgrade is highly recommended!

Security Issue Fixed

CKEditor 4.4.6 fixes an XSS vulnerability in the HTML parser reported by Maco Cortes and Evan Ricafort. The vulnerability stemmed from the fact that it was possible to execute XSS inside the CKEditor source area after persuading the victim to: (i) switch CKEditor to source mode, then (ii) paste a specially crafted HTML code, prepared by the attacker, into the opened CKEditor source area, and (iii) switch back to WYSIWYG mode. Although this is an unlikely scenario, we recommend to upgrade to the latest editor version.

Low-Level Core Improvements

Although this is a minor release, the development team has decided to work on a few significant improvements to CKEditor core. Tickets such as, for example, #12489, #12491 and #12630 improve how selection works in certain scenarios. At the same time #12621, #12688 and #12403 introduced changes to the styles system, fxing issues with removing inline styles from empty lines and nesting <span> elements for font style changes. All such changes always come with some code refactoring in order to reduce its complexity as well as improve test coverage (CKEditor uses Bender.js as its testing tool), so we actually expect they should improve these core editor aspects, fix some similar issues and also make CKEditor output cleaner.

New Features

Minor release or not, CKEditor 4.4.6 includes two new features, too. Allowed content rules that are used in content filtering definitions now accept dashes in element names. Additionally, the HTML5 <main> element was added to CKEDITOR.dtd.

CKEditor Fixes

It has already become a custom to include some community work in latest CKEditor releases and this editor version is no different. Shaohua fixed an issue with pasting into inline editor in Safari if the page has user-select: none style and Timselier provided a code fix for the content filter failing to remove custom tags. Thanks, guys!

Other fixes crafted by the core team include minor issues with events, cursor position or a DOM change outside of the editor under certain circumstances.


Check out the What's New? page for the full list of changes.


Download CKEditor now and upgrade your installation or use your favorite package manager to install it!


CKEditor is available under Open Source and Commercial licenses. Full details can be found on our license page.

Reporting Issues

Please use the CKEditor Development website to report issues and suggestions through tickets.


Community support is available through our forums. Visit the support page for additional options.

If you have enjoyed reading this, be sure to check out our other blog posts

Subscribe to our newsletter

Keep your CKEditor fresh! Receive updates about releases, new features and security fixes.

We use cookies and other technologies to provide you with a better user experience.

Learn more

Hi there, any questions about products or pricing?

Any questions about our products or pricing?

Send us a quick message and one of our Sales Representatives will be in touch with you as soon as possible.

We are happy to
hear from you!

Thank you for reaching out to the CKEditor Sales Team. We have received your message and we will contact you shortly.