CKEditor Weekly for March 24, 2015
We're back with another CKEditor Weekly! After a short (but productive) break that included the last team meetup in Warsaw, we are back to working hard on CKEditor 4.5 beta and CKFinder 3 beta! Quite a lot of progress occurred during the last weeks, so read on for details!
CKEditor in Review
22 tickets were closed and two more were put on review. Most of them were related to stability of the new features that we implemented or changed in CKEditor 4.5.0, but there were also new features like configurable paste filter, ability to paste fragments of images (e.g. copied from MS Paint), drag and drop's UX polishing and so on.
Right now the team is working on the last three big topics in CKEditor 4.5.0 - integrating widgets with the new clipboard APIs, finalising our previous work on the oEmbed plugin and bringing (some) IE 12 compatibility.
Last but not least, an accessibility issue in the dialogs was fixed.
On the CKEditor 5 front, we are still working on the prototype - taking care of the selection feature.
benderjs-amd v0.2.3 was released. WARNING: This release contains breaking changes in the API - we no longer override the
requirefunction, instead we expose
bender.requirefor the same purpose.
Other than that, sample plugins for the CKFinder 3 PHP connector were created and the documentation was reviewed. The focus has now shifted to some frontend issues.
Around the Net
False Security Report Note
Last week was full of tweets about a false security report for "FCKeditor 4.4.7".
CKEditor team treats all security reports seriously and we wanted to underline that so does the community. So far if any valid security issue was found, we were always contacted by a security researcher first so that the CKEditor team had time to prepare a bugfix and so that as a result the users could download the secure version as soon as the vulnerability is disclosed.
In this case nobody contacted us before disclosing this "0-day Exploit". The reason turned out to be simple:
The "XSS/HTML Injection" issue in samples/plugins/htmlwriter/outputhtml.html after pressing the “Submit” button was simply invalid.
This is an example of how markup produced by CKEditor can look like. After form submission, the submitted HTML code is not displayed as is, but exactly for security reasons it is encoded first. So no XSS happens.
The "File Upload Exploit" issue points to a feature that isn't used since FCKeditor 2.x. In any case even in FCKeditor 2.x no security issue exists. The built-in file manager was disabled by default in the release package, so that the developers read the documentation first before enabling it.
If the file upload is correctly enabled only for trusted users (e.g. by using session variables), the attacker will not be able to upload any files as the file browser will be disabled without a valid session.
As you can see, not every security report can be taken seriously. However, if you still have any doubts or questions, please feel free to contact us at any moment.
The entire CKSource team met again for two days in Warsaw, Poland, to talk about various topics, especially about current and future projects, and also have some fun. You can read the report here and check some photos on our Facebook or Google+ pages.
To make community contributions and support easier, we have decided to migrate from our own forum that had a limited number of features to a full-blown community support platform - Stack Overflow. Read more about it here.
That's it for this week(s). If you would like to be featured in one of our CKEditor Weeklies, or have an interesting tidbit that relates to CKEditor, leave a comment below or contact us!