CKEditor 4.21 with security patches and potential breaking changes
Our team is dedicated to providing our users with the best possible editing solutions. We believe that security is of utmost importance, and we constantly work to ensure that our software is secure and safe for our users to use. We are committed to keeping our users’ data safe and secure, and we will continue to work tirelessly to achieve this goal.
# Security fixes
a) using one of the affected packages on a web page with an improperly configured Content Security Policy,
b) initializing the editor on an element other than
c) destroying the editor instance.
This vulnerability may affect a small percentage of integrators who depend on the dynamic editor initialization/destroy mechanism.
# Potential breaking changes
In some rare cases, that release may introduce a breaking change to your application. We have provided configuration options that will help you mitigate any potential issues with the upgrade:
- Starting from version 4.21, the Media Embed plugin regenerates the entire content of the embed widget by default. To change this behavior, configure the config.embed_keepOriginalContent option.
If you choose to enable either of the above options, make sure to properly configure Content Security Policy to avoid any potential security issues that may arise from embedding iframe elements on your web page.
# Other improvements
- We’ve added the config.uploadImage_supportedTypes configuration option that allows changing the image formats accepted by the Upload Image plugin. Gratitude goes to SilverYoCha for that contribution!
- We have fixed an issue where no notification is shown when pasting or dropping unsupported image types into the editor.
# Release notes
CKEditor is available under Open Source and Commercial licenses. Full details can be found on our license page.