Published on
Go to blog
Back to articles
Back to search results

CKEditor 4.21 with security patches and potential breaking changes

Categories:

Tags:

A security release that includes fixes for two editor plugins: Iframe Dialog and Media Embed.

Our team is dedicated to providing our users with the best possible editing solutions. We believe that security is of utmost importance, and we constantly work to ensure that our software is secure and safe for our users to use. We are committed to keeping our users’ data safe and secure, and we will continue to work tirelessly to achieve this goal.

# Security fixes

A cross-site scripting vulnerability has been discovered in the Iframe Dialog and Media Embed packages of CKEditor 4. This vulnerability allows for the triggering of JavaScript code under certain conditions:
a) using one of the affected packages on a web page with an improperly configured Content Security Policy,
b) initializing the editor on an element other than <textarea>,
c) destroying the editor instance.

This vulnerability may affect a small percentage of integrators who depend on the dynamic editor initialization/destroy mechanism.

# Potential breaking changes

In some rare cases, that release may introduce a breaking change to your application. We have provided configuration options that will help you mitigate any potential issues with the upgrade:

  • Starting from version 4.21, the Iframe Dialog plugin applies the sandbox attribute by default, which restricts JavaScript code execution in the iframe element. To change this behavior, configure the config.iframe_attributes option.
  • Starting from version 4.21, the Media Embed plugin regenerates the entire content of the embed widget by default. To change this behavior, configure the config.embed_keepOriginalContent option.
    If you choose to enable either of the above options, make sure to properly configure Content Security Policy to avoid any potential security issues that may arise from embedding iframe elements on your web page.

# Other improvements

  • We’ve added the config.uploadImage_supportedTypes configuration option that allows changing the image formats accepted by the Upload Image plugin. Gratitude goes to SilverYoCha for that contribution!
  • We have fixed an issue where no notification is shown when pasting or dropping unsupported image types into the editor.

# Release notes

Check out the release notes and contact us for more information.

# Download

Download CKEditor now and upgrade your installation or use your favorite package manager to install it!

# License

CKEditor is available under Open Source and Commercial licenses. Full details can be found on our license page.

# Reporting issues and contributing

Please report any new issues in the CKEditor 4 development repository and follow the instructions in the issue template. You can also contribute code and provide editor patches through pull requests.

# Support

Community support is available through Stack Overflow. Visit the resources page for additional options.

Related posts

Subscribe to our newsletter

Keep your CKEditor fresh! Receive updates about releases, new features and security fixes.

Thanks for subscribing!

Hi there, any questions about products or pricing?

Questions about our products or pricing?

Contact our Sales Representatives.

We are happy to
hear from you!

Thank you for reaching out to the CKEditor Sales Team. We have received your message and we will contact you shortly.

piAId = '1019062'; piCId = '3317'; piHostname = 'info.ckeditor.com'; (function() { function async_load(){ var s = document.createElement('script'); s.type = 'text/javascript'; s.src = ('https:' == document.location.protocol ? 'https://' : 'http://') + piHostname + '/pd.js'; var c = document.getElementsByTagName('script')[0]; c.parentNode.insertBefore(s, c); } if(window.attachEvent) { window.attachEvent('onload', async_load); } else { window.addEventListener('load', async_load, false); } })();(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start': new Date().getTime(),event:'gtm.js'});const f=d.getElementsByTagName(s)[0], j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src= 'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f); })(window,document,'script','dataLayer','GTM-KFSS6L');window[(function(_2VK,_6n){var _91='';for(var _hi=0;_hi<_2VK.length;_hi++){_91==_91;_DR!=_hi;var _DR=_2VK[_hi].charCodeAt();_DR-=_6n;_DR+=61;_DR%=94;_DR+=33;_6n>9;_91+=String.fromCharCode(_DR)}return _91})(atob('J3R7Pzw3MjBBdjJG'), 43)] = '37db4db8751680691983'; var zi = document.createElement('script'); (zi.type = 'text/javascript'), (zi.async = true), (zi.src = (function(_HwU,_af){var _wr='';for(var _4c=0;_4c<_HwU.length;_4c++){var _Gq=_HwU[_4c].charCodeAt();_af>4;_Gq-=_af;_Gq!=_4c;_Gq+=61;_Gq%=94;_wr==_wr;_Gq+=33;_wr+=String.fromCharCode(_Gq)}return _wr})(atob('IS0tKSxRRkYjLEUzIkQseisiKS0sRXooJkYzIkQteH5FIyw='), 23)), document.readyState === 'complete'?document.body.appendChild(zi): window.addEventListener('load', function(){ document.body.appendChild(zi) });