« See all

CKEditor Weekly for March 24, 2015

We're back with another CKEditor Weekly! After a short (but productive) break that included the last team meetup in Warsaw, we are back to working hard on CKEditor 4.5 beta and CKFinder 3 beta! Quite a lot of progress occurred during the last weeks, so read on for details!

CKEditor in Review

  • The team created the CKEditor 4.5.0 milestone on our tracker to separate tickets that we wish to close in the CKEditor 4.5.0 Beta. So yes - there will be a beta before the final release.

  • 22 tickets were closed and two more were put on review. Most of them were related to stability of the new features that we implemented or changed in CKEditor 4.5.0, but there were also new features like configurable paste filter, ability to paste fragments of images (e.g. copied from MS Paint), drag and drop's UX polishing and so on.

  • Right now the team is working on the last three big topics in CKEditor 4.5.0 - integrating widgets with the new clipboard APIs, finalising our previous work on the oEmbed plugin and bringing (some) IE 12 compatibility.

  • Last but not least, an accessibility issue in the dialogs was fixed.

  • The new samples framework is being ported to new CKEditor samples.

  • On the CKEditor 5 front, we are still working on the prototype - taking care of the selection feature.

Other Projects

  • benderjs-amd v0.2.3 was released. WARNING: This release contains breaking changes in the API - we no longer override the require function, instead we expose bender.require for the same purpose.

  • Other than that, sample plugins for the CKFinder 3 PHP connector were created and the documentation was reviewed. The focus has now shifted to some frontend issues.

Around the Net

False Security Report Note

Last week was full of tweets about a false security report for "FCKeditor 4.4.7".

CKEditor team treats all security reports seriously and we wanted to underline that so does the community. So far if any valid security issue was found, we were always contacted by a security researcher first so that the CKEditor team had time to prepare a bugfix and so that as a result the users could download the secure version as soon as the vulnerability is disclosed.

In this case nobody contacted us before disclosing this "0-day Exploit". The reason turned out to be simple:

  • The "XSS/HTML Injection" issue in samples/plugins/htmlwriter/outputhtml.html after pressing the “Submit” button was simply invalid.
    This is an example of how markup produced by CKEditor can look like. After form submission, the submitted HTML code is not displayed as is, but exactly for security reasons it is encoded first. So no XSS happens.

  • The "File Upload Exploit" issue points to a feature that isn't used since FCKeditor 2.x. In any case even in FCKeditor 2.x no security issue exists. The built-in file manager was disabled by default in the release package, so that the developers read the documentation first before enabling it.
    If the file upload is correctly enabled only for trusted users (e.g. by using session variables), the attacker will not be able to upload any files as the file browser will be disabled without a valid session.

As you can see, not every security report can be taken seriously. However, if you still have any doubts or questions, please feel free to contact us at any moment.

Team Updates

  • The entire CKSource team met again for two days in Warsaw, Poland, to talk about various topics, especially about current and future projects, and also have some fun. You can read the report here and check some photos on our Facebook or Google+ pages.

  • To make community contributions and support easier, we have decided to migrate from our own forum that had a limited number of features to a full-blown community support platform - Stack Overflow. Read more about it here.

That's it for this week(s). If you would like to be featured in one of our CKEditor Weeklies, or have an interesting tidbit that relates to CKEditor, leave a comment below or contact us!

Share this post

Linkedin Reddit
CKEditor Weekly for March 31, 2015
CKSource Meetup 2015
Twitter Facebook Facebook Instagram Medium Linkedin GitHub Arrow down Phone Menu Close icon Check