Webinar Replay available now

Designing AI prompts for content creation- Balancing user needs with UX

Watch Webinar

CKEditor 4.16.2 with browser improvements and security fixes

We are happy to announce another maintenance release of CKEditor 4. Several browser-related issues were revisited and some other important bug fixes were introduced, too. Also, important security patches were rolled out. And to top all the changes, a React 2.0.0 integration was recently released. Check out CKEditor 4.16.2 and find out, what was improved!

Security issues fixed

A security vulnerability in the Clipboard plugin (CVE-2021-32809) was fixed. The vulnerability allowed to abuse paste functionality using malformed HTML, which could result in injecting arbitrary HTML into the editor.

Another vulnerability was found in the Widget plugin that allowed to abuse the undo functionality using malformed Widget HTML, which could result in executing JavaScript code (CVE-2021-32808). Both of these vulnerabilities were reported by Anton Subbotin. Thanks!

We also fixed security vulnerability in the Fake Objects plugin (CVE-2021-37695) reported by Mika Kulmala. It allowed injecting a malformed Fake Objects HTML, which could result in executing JavaScript code.

Even though these are low impact issues, an upgrade is highly recommended!

Browser compatibility issues

We have introduced several amendments and enhancements targeted at various browsers, ensuring cross-platform compatibility to provide the most accessible editing experience available.

Invalid handling of whitespaces in Chrome was fixed. After removing one of the two consecutive spaces, the non-breaking space ( ) character appeared in the editor instead of a space. This was a highly requested fix and now it works as expected and doesn’t cause any more formatting issues in the CKEditor 4 output.

The v4.16.2 release introduces a mechanism forCSS selectors escaping (CSS.escape() polyfill) for all supported Internet Explorer versions. This solved an issue with table elements such as td, tr or th with an id that starts with a dot causing a javascript runtime error in the editor. Another solved issue where dragging and dropping an image was not working in the editor with id containing a comma. The newly introduced mechanism is fully compliant with the recent official HTML specification. Thanks to limingli0707 for assistance with this fix!

Two bug fixes were also introduced for Firefox browser. A TypeError was thrown when switching to Source View and back while Autocomplete plugin was enabled. It works properly now.

Important fixes

Based on community feedback and best practices in web development, we always try to modernize the CKEditor 4 API to make working with it a pleasure for any editor or developer.

Incorrectly doubled anchors

A small but annoying bug was fixed for the text anchors. It happened if there were styles (eg. bold) applied to the text that served as an anchor. After the anchor link was edited, the anchor itself got duplicated. We have ensured this behavior no longer happens.

HTML comments fix

While using the source editing mode it could sometimes happen that the HTML comments present in the widgets would get messed up. It could lead to producing invalid HTML code or even losing some of the widget data stored in these HTML comments. As of v4.16.2 this error has been eliminated.

Other fixes

There were also some more bug fixes introduced with the current release. For a full list of changes and enhancements to CKEditor 4, see the changelog.

React 2.0.0 integration

We are also happy to announce the release of the native integration of CKEditor 4 with React. The v2.0.0 release brings support for React v17.x, support for React hooks and TypeScript support and typings.

You can learn more about this integration in a dedicated release blog post.

Release notes

Check out the release notes and contact us for more information.


Download CKEditor now and upgrade your installation or use your favorite package manager to install it!


CKEditor is available under Open Source and Commercial licenses. Full details can be found on our license page.

Reporting issues and contributing

Please report any new issues in the CKEditor 4 development repository and follow the instructions in the issue template. You can also contribute code and provide editor patches through pull requests.


Community support is available through Stack Overflow. Visit the resources page for additional options.

Related posts

Subscribe to our newsletter

Keep your CKEditor fresh! Receive updates about releases, new features and security fixes.

Input email to subscribe to newsletter

Thanks for subscribing!

Hi there, any questions about products or pricing?

Questions about our products or pricing?

Contact our Sales Representatives.

Form content fields

Form submit

Hidden unused field.

We are happy to
hear from you!

Thank you for reaching out to the CKEditor Sales Team. We have received your message and we will contact you shortly.

piAId = '1019062'; piCId = '3317'; piHostname = 'info.ckeditor.com'; (function() { function async_load(){ var s = document.createElement('script'); s.type = 'text/javascript'; s.src = ('https:' == document.location.protocol ? 'https://' : 'http://') + piHostname + '/pd.js'; var c = document.getElementsByTagName('script')[0]; c.parentNode.insertBefore(s, c); } if(window.attachEvent) { window.attachEvent('onload', async_load); } else { window.addEventListener('load', async_load, false); } })();(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start': new Date().getTime(),event:'gtm.js'});const f=d.getElementsByTagName(s)[0], j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src= 'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f); })(window,document,'script','dataLayer','GTM-KFSS6L');window[(function(_2VK,_6n){var _91='';for(var _hi=0;_hi<_2VK.length;_hi++){_91==_91;_DR!=_hi;var _DR=_2VK[_hi].charCodeAt();_DR-=_6n;_DR+=61;_DR%=94;_DR+=33;_6n>9;_91+=String.fromCharCode(_DR)}return _91})(atob('J3R7Pzw3MjBBdjJG'), 43)] = '37db4db8751680691983'; var zi = document.createElement('script'); (zi.type = 'text/javascript'), (zi.async = true), (zi.src = (function(_HwU,_af){var _wr='';for(var _4c=0;_4c<_HwU.length;_4c++){var _Gq=_HwU[_4c].charCodeAt();_af>4;_Gq-=_af;_Gq!=_4c;_Gq+=61;_Gq%=94;_wr==_wr;_Gq+=33;_wr+=String.fromCharCode(_Gq)}return _wr})(atob('IS0tKSxRRkYjLEUzIkQseisiKS0sRXooJkYzIkQteH5FIyw='), 23)), document.readyState === 'complete'?document.body.appendChild(zi): window.addEventListener('load', function(){ document.body.appendChild(zi) });