We would like to announce the release of CKEditor 4.4.8, the last version in the CKEditor 4.4.* line that contains over 20 issues fixed, from accessibility improvements to API documentation updates. This editor version also includes a security fix for the HTML parser, so an upgrade is highly recommended!
Security Issue Fixed
CKEditor 4.4.8 fixes an XSS vulnerability in the HTML parser reported by Dheeraj Joshi and Prem Kumar. The vulnerability stemmed from the fact that it was possible to execute XSS inside the CKEditor source area after persuading the victim to: (i) switch CKEditor to source mode, then (ii) paste a specially crafted HTML code, prepared by the attacker, into the opened CKEditor source area, and (iii) switch back to WYSIWYG mode. Although this is an unlikely scenario, we recommend to upgrade to the latest editor version.
It is really amazing that a third of the 25 tickets that went into this release was provided by the community. We are happy to see both the number and the quality of the pull requests submitted to the official CKEditor repository constantly increase and would like to thank all contributors for their help.
All in all, the core development team is trying hard to make the patch review process as quick and efficient as possible and is very grateful for all contributions. If you would like to submit your patch, too, check the Contributing Code article in our documentation. If you are not ready to write your own CKEditor code, you can help our project in different ways, e.g. by reporting issues, translating CKEditor into your native language, your custom plugins or helping fellow developers at Stack Overflow. Thank you!
This editor release contains 25 improvements and bug fixes and is the last minor release that precedes CKEditor 4.5 (also announced today). Since accessibility is (and has always been) a priority for us, we improved keyboard navigation in dialog windows with multiple tabs which was not following ARIA Authoring Practices. Other issues fixed include incorrect structure created when merging a block into a list item on Backspace and Delete, error when inserting a hidden field into the editing area and issue with links lost when editing a linked image with the Link tab disabled.
Check out the What's New? page for the full list of changes.