CKEditor 4.4.8 with a Security Patch Released
We would like to announce the release of CKEditor 4.4.8, the last version in the CKEditor 4.4.* line that contains over 20 issues fixed, from accessibility improvements to API documentation updates. This editor version also includes a security fix for the HTML parser, so an upgrade is highly recommended!
Security Issue Fixed
CKEditor 4.4.8 fixes an XSS vulnerability in the HTML parser reported by Dheeraj Joshi and Prem Kumar. The vulnerability stemmed from the fact that it was possible to execute XSS inside the CKEditor source area after persuading the victim to: (i) switch CKEditor to source mode, then (ii) paste a specially crafted HTML code, prepared by the attacker, into the opened CKEditor source area, and (iii) switch back to WYSIWYG mode. Although this is an unlikely scenario, we recommend to upgrade to the latest editor version.
It is really amazing that a third of the 25 tickets that went into this release was provided by the community. We are happy to see both the number and the quality of the pull requests submitted to the official CKEditor repository constantly increase and would like to thank all contributors for their help.
All in all, the core development team is trying hard to make the patch review process as quick and efficient as possible and is very grateful for all contributions. If you would like to submit your patch, too, check the Contributing Code article in our documentation. If you are not ready to write your own CKEditor code, you can help our project in different ways, e.g. by reporting issues, translating CKEditor into your native language, your custom plugins or helping fellow developers at Stack Overflow. Thank you!
This editor release contains 25 improvements and bug fixes and is the last minor release that precedes CKEditor 4.5 (also announced today). Since accessibility is (and has always been) a priority for us, we improved keyboard navigation in dialog windows with multiple tabs which was not following ARIA Authoring Practices. Other issues fixed include incorrect structure created when merging a block into a list item on Backspace and Delete, error when inserting a hidden field into the editing area and issue with links lost when editing a linked image with the Link tab disabled.
Check out the What's New? page for the full list of changes.
Download CKEditor now and upgrade your installation or use your favorite package manager to install it!
CKEditor is available under Open Source and Commercial licenses. Full details can be found on our license page.
Reporting Issues and Contributing
Please use the CKEditor Development website to report issues and suggestions through tickets. You can also contribute code and provide editor patches through pull requests.
Community support is available through Stack Overflow. Visit the support page for additional options.