Fixed issues:

• #4934: Fixed: Active focus in dialog tabs is not visible in the High Contrast mode.
• #547: Fixed: Dragging and dropping elements like images within a table is no longer available.
• #4875: Fixed: It is not possible to delete multiple selected lists.
• #4873: Fixed: Pasting content from MS Word and Outlook with horizontal lines prevents images from being uploaded.
• #4952: Fixed: Dragging and dropping images within a table cell appends additional elements.
• #4761: Fixed: Some CSS files are missing unique timestamp used to prevent browser to cache static resources between editor releases.
• #4987: Fixed: Find/Replace is not recognizing more than one space character.
• #5061: Fixed: Find/Replace plugin incorrectly handles multiple whitespace during replacing text.
• #5004: Fixed: MutationObserver used in IFrame Editing Area plugin causes memory leaks.
• #4994: Fixed: Easy Image plugin caused content pasted from Word to turn into an image.

API changes:

• #4918: Explicitly set the config.useComputedState default value to true. Thanks to Shabab Karim!
• #4761: The CKEDITOR.appendTimestamp() function was added.
• #4761: CKEDITOR.dom.document#appendStyleSheet() and CKEDITOR.tools.buildStyleHtml() now use the newly added CKEDITOR.appendTimestamp() function to correctly handle caching of CSS files.

Other changes:

• #5014: Fixed: Toolbar configurator fails when plugin does not define a toolbar group. Thanks to SuperPat!

Fixed issues:

• #4979: Fixed: Added cache key in #4761 started to breaking relative links for external CSS resources. The fix has been reverted and will be corrected in the upcoming release.

Security Updates:

• Fixed XSS vulnerability in the core module reported by William Bowling.

  Issue summary: The vulnerability allowed to inject malformed comments HTML bypassing content sanitization, which could result in executing JavaScript code. See security advisory for more details.

• Fixed XSS vulnerability in the core module reported by Maurice Dauer.

  Issue summary: The vulnerability allowed to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. See security advisory for more details.

You can read more details in the relevant security advisory and contact us if you have more questions.

An upgrade is highly recommended!

Highlights:

Adobe ended support of Flash Player on December 31, 2020 and blocked Flash content from running in Flash Player beginning January 12, 2021. We have decided to deprecate and remove the Flash plugin from CKEditor 4 to help protect users' systems and discourage using insecure software.

New Features:

• #3433: Marked required fields in dialogs with asterisk (*) symbol.
• #4374: Integrated the Maximize plugin with browser's History API.
• #4461: Introduced the possibility to delay editor initialization while it is in a detached DOM element.
• #4462: Introduced support for reattaching editor container element to DOM.
• #4612: Allow pasting images as Base64 from clipboard in all browsers except IE.
• #4681: Allow drag and drop images as Base64.
• #4750: Added notification for pasting and dropping unsupported file types into the editor.
• #4807: [Chrome] Improved the performance of pasting large images. Thanks to FlowIT-JIT!
• #4850: Added support for loading content templates from HTML files. Thanks to Fynn96!
• #4874: Added the config.clipboard_handleImages configuration option for enabling and disabling built-in support for pasting and dropping images in the Clipboard plugin. Thanks to FlowIT-JIT!
• #4026: Preview plugin now uses the editor#title property for the title of the preview window. Thanks to Ely!
• #4467: Added support for inserting content next to a block widgets using keyboard navigation. Thanks to bunglegrind!

Fixed Issues:

• #3757: [Firefox] Fixed: images pasted from clipboard are not inserted as Base64-encoded images.
• #3876: Fixed: The Print plugin incorrectly prints links and images.
• #4444: [Firefox] Fixed: Print preview is incorrectly loaded from CDN.
• #4596: Fixed: Incorrect handling of HSL/HSLA values in CKEDITOR.tools.color.
• #4597: Fixed: Incorrect color conversion for HSL/HSLA values in CKEDITOR.tools.color.
• #4604: Fixed: CKEDITOR.plugins.clipboard.dataTransfer#getTypes() returns no types.
• #4761: Fixed: Not all resources loaded by the editor respect the cache key.
• #4783: Fixed: The Accessibility Help dialog does not contain info about focus being moved back to the editing area upon activating a toolbar button.
• #4790: Fixed: Printing page is invoked before the printed page is fully loaded.
• #4874: Fixed: Built-in support for pasting and dropping images in the Clipboard plugin restricts third party plugins from handling image pasting. Thanks to FlowIT-JIT!
• #4888: Fixed: The CKEDITOR.dialog#setState() method throws error when there is no "OK" button in the dialog.
• #4858: Fixed: The Autolink plugin incorrectly escapes the & characters when pasting links into the editor.
• #4892: Fixed: Focus of buttons in dialogs is not visible enough in High Contrast mode.
• #3858: Fixed: Pasting content in ENTER_BR enter mode crashes the editor.
• #4891: Fixed: The Autogrow plugin applies fixed width to the editor.

API Changes:

• #4462: CKEDITOR.editor#getSelection() now returns null if the editor is in recreating state.
• #4583: Added support for new, comma-less color syntax to CKEDITOR.tools.color.
• #4604: Added the CKEDITOR.plugins.clipboard.dataTransfer#isFileTransfer() method.
• #4761: CKEDITOR.dom.document#appendStyleSheet() and CKEDITOR.tools.buildStyleHtml() now use CKEDITOR.getUrl() to correctly handle caching of CSS files.
• #4790: Added callback parameter to CKEDITOR.plugins.preview#createPreview() method.

Other Changes:

• #4866: The Flash plugin is now deprecated and has been removed from CKEditor 4.
• #4901: Redesigned buttons placement in the Content templates dialog to make it more UX friendly. Thanks to Fynn96!

Security Updates:

• Fixed XSS vulnerability in the Clipboard plugin reported by Anton Subbotin.

  Issue summary: The vulnerability allowed to abuse paste functionality using malformed HTML, which could result in injecting arbitrary HTML into the editor. See security advisory for more details.

• Fixed XSS vulnerability in the Widget plugin reported by Anton Subbotin.

  Issue summary: The vulnerability allowed to abuse undo functionality using malformed Widget HTML, which could result in executing JavaScript code. See security advisory for more details.

• Fixed XSS vulnerability in the Fake Objects plugin reported by Mika Kulmala.

  Issue summary: The vulnerability allowed to inject malformed Fake Objects HTML, which could result in executing JavaScript code. See security advisory for more details.

You can read more details in the relevant security advisory and contact us if you have more questions.

An upgrade is highly recommended!

Fixed Issues:

• #4777: Fixed: HTML comments in widgets not processed correctly.
• #4733: Fixed: Link prevent duplicate anchors in text with styles.
  • #4728: Fixed: Multiple anchors in one line and multi-line with text style.
  • #3863: Fixed: Multiple anchors in single word with text style.
• #3819: [Chrome] Fixed: After removing one of the two consecutive spaces, the   character appears in the editor instead of a space.
• #4666: [IE] Introduce CSS.escape polyfill. Thanks to limingli0707!
  • #681: Fixed: Table elements (td, tr, th, ..) with an id that starts with dot (.) causes javascript runtime err.
  • #641: Fixed: UploadImage Plugin Widgets not working in IE, Opera, Safari, PhantomJS.
• #3638: Fixed: Opening the same dialog twice causes it to become hidden under the dialog's page cover.
• #4247: Fixed: Color Button's incorrect rendering on the first opening.
• #4555: Fixed: Font styles with attributes are not applied correctly when used multiple times over the same selection.
• #4782: [Firefox] Fixed: TypeError is thrown when switching to Source View and back while Autocomplete plugin is enabled.

Fixed Issues:

• #4617: Fixed: Autocomplete is not accessible in inline editors.
• #4493: Fixed: The drop-down label does not reflect the current value of the drop-down.
• #1572: Fixed: A paragraph before or after a widget cannot be removed. Thanks to bunglegrind!
• #4301: Fixed: Pasted content is overwritten when pasted in an initially empty editor with the div Enter mode.
• #4351: Fixed: Incorrect values for RGBA/HSLA colors in Color Dialog.
• #4509: Fixed: Incorrect handling of drag & drop inside widgets and nested editables.
• #4611: [Android, iOS] Fixed: Incorrect hover styles for buttons in the toolbar on mobile devices.
• #4652: Fixed: Event data set to false is treated as an event cancelation.

Security Updates:

• Fixed ReDoS vulnerability in the Autolink plugin.

  Issue summary: It was possible to execute a ReDoS-type attack inside CKEditor 4 by persuading a victim to paste a specially crafted URL-like text into the editor and press Enter or Space.

• Fixed ReDoS vulnerability in the Advanced Tab for Dialogs plugin.

  Issue summary: It was possible to execute a ReDoS-type attack inside CKEditor 4 by persuading a victim to paste a specially crafted text into the Styles dialog.

An upgrade is highly recommended!

New Features:

• #2800: Unsupported image formats are now gracefully handled by the Paste from Word plugin on paste, additionally showing descriptive error messages.
• #2800: Unsupported image formats are now gracefully handled by the Paste from LibreOffice plugin on paste, additionally showing descriptive error messages.
• #3582: Introduced smart positioning of the Autocomplete panel used by the Mentions and Emoji plugins. The panel will now be additionally positioned related to the browser viewport to be always fully visible.
• #4388: Added the option to remove an iframe created with the IFrame Dialog plugin from the sequential keyboard navigation using the tabindex attribute. Thanks to Timo Kirkkala!

Fixed Issues:

• #1134: [Safari] Fixed: Paste from Word does not embed images.
• #2800: Fixed: No images are imported from Microsoft Word when the content is pasted via the Paste from Word plugin if there is at least one image of unsupported format.
• #4379: [Edge] Fixed: Incorrect detection of the high contrast mode.
• #4422: Fixed: Missing space between the button name and the keyboard shortcut inside the button label in the high contrast mode.
• #2208: [IE] Fixed: The Autolink plugin duplicates the native browser implementation.
• #1824: Fixed: The Autolink plugin should require the Link plugin.
• #4253: Fixed: The Editor Placeholder plugin throws an error during the editor initialization with config.fullPage enabled when there is no <body> tag in the editor content.
• #4372: Fixed: The Autogrow plugin changes the editor's width when used with an absolute config.width value.

API Changes:

• #4358: Introduced the CKEDITOR.tools.color class which adds colors validation and methods for converting colors between various formats: named colors, HEX, RGB, RGBA, HSL and HSLA.
• #3782: Moved the CKEDITOR.plugins.pastetools.filters.word.images filters to the CKEDITOR.plugins.pastetools.filters.image namespace.
• #4297: All CKEDITOR.plugins.pastetools.filters are now available under the CKEDITOR.pasteTools alias.
• #4394: Introduced CKEDITOR.ajax specialized loading methods for loading binary (CKEDITOR.ajax.loadBinary()) and text (CKEDITOR.ajax.loadText()) data.

Other Changes:

• The WebSpellChecker (WSC) plugin is now disabled by default in Standard and Full presets. It can be enabled via extraPlugins configuration option.

Security Updates:

• Fixed XSS vulnerability in the Color History feature reported by Mark Wade.

  Issue summary: It was possible to execute an XSS-type attack inside CKEditor 4 by persuading a victim to paste a specially crafted HTML code into the Color Button dialog.

An upgrade is highly recommended!

Fixed Issues:

• #4293: Fixed: The CKEDITOR.inlineAll() method tries to initialize inline editor also on elements with an editor already attached to them.
• #3961: Fixed: The Table Resize plugin prevents editing of merged cells.
• #3649: Fixed: Applying a block format should remove existing block styles.
• #4282: Fixed: The script loader does not execute callback for scripts already loaded when called for the second time. Thanks to Alexander Korotkevich!
• #4273: Fixed: A memory leak in the CKEDITOR.domReady() method connected with not removing load event listeners. Thanks to rohit1!
• #1330: Fixed: Incomplete CSS margin parsing if an auto or 0 value is used.
• #4286: Fixed: The Auto Grow plugin causes the editor width to be set to 0 on editor resize.
• #848: Fixed: Arabic text not being "bound" correctly when pasting. Thanks to Thomas Hunkapiller and J. Ivan Duarte Rodríguez!

API Changes:

• #3649: Added a new stylesRemove editor event.

Other Changes:

• #4262: Removed the global reference to the stylesLoaded variable. Thanks to Levi Carter!
• Updated the Export to PDF plugin to 1.0.1 version:
  • Improved external CSS support for classic editor by handling exceptions and displaying convenient error messages.

Fixed Issues:

• #2607: Fixed: The Emoji plugin SVG icons file is not loaded in CORS context.
• #3866: Fixed: The config.readOnly configuration option not considered for startup read-only mode of inline editor.
• #3931: [IE] Fixed: An error is thrown when pasting using the Paste button after accepting the browser Clipboard Access Prompt dialog.
• #3938: Fixed: Cannot navigate the Autocomplete panel with the keyboard after switching to source mode.
• #2823: [IE] Fixed: Cannot resize the last table column using the Table Resize plugin.
• #909: Fixed: The Table Resize plugin does not work when the editor is placed in an absolutely positioned container. Thanks to Roland Petto!
• #1959: Fixed: The Table Resize plugin does not work in a maximized editor when the Div Editing Area feature is enabled. Thanks to Roland Petto!
• #3156: Fixed: Autolink config.autolink_urlRegex and config.autolink_emailRegex options are not customizable. Thanks to Sergiy Dobrovolsky!
• #624: Fixed: Notification does not work with the bottom toolbar location.
• #3000: Fixed: Auto Embed does not work with the bottom toolbar location.
• #1883: Fixed: The editor.resize() method does not work with CSS units.
• #3926: Fixed: Dragging and dropping a widget sometimes produces an error.
• #4008: Fixed: Remove Format does not work with a collapsed selection.
• #3998: Fixed: An error is thrown when switching to the source mode using a custom Ctrl + Enter keystroke with the Widget plugin present.

Other Changes:

• Updated WebSpellChecker (WSC) and SpellCheckAsYouType (SCAYT) plugins:
  • Fixed: Active Autocomplete panel causes active suggestions to be unnecessarily checked by the SCAYT spell checking mechanism.

Security Updates:

• Fixed XSS vulnerability in the HTML data processor reported by Michał Bentkowski of Securitum.

  Issue summary: It was possible to execute XSS inside CKEditor after persuading the victim to: (i) switch CKEditor to source mode, then (ii) paste a specially crafted HTML code, prepared by the attacker, into the opened CKEditor source area, and (iii) switch back to WYSIWYG mode or (i) copy the specially crafted HTML code, prepared by the attacker and (ii) paste it into CKEditor in WYSIWYG mode.

• Fixed XSS vulnerability in the WebSpellChecker plugin reported by Pham Van Khanh from Viettel Cyber Security.

  Issue summary: It was possible to execute XSS using CKEditor after persuading the victim to: (i) switch CKEditor to source mode, then (ii) paste a specially crafted HTML code, prepared by the attacker, into the opened CKEditor source area, then (iii) switch back to WYSIWYG mode, and (iv) preview CKEditor content outside CKEditor editable area.

An upgrade is highly recommended!

New features:

• #2374: Added support for pasting rich content from LibreOffice Writer with the Paste from LibreOffice plugin.
• #2583: Changed emoji suggestion box to show the matched emoji name instead of an ID.
• #3748: Improved the color button state to reflect the selected editor content colors.
• #3661: Improved the Print plugin to respect styling rendered by the Preview plugin.
• #3547: Active dialog tab now has the aria-selected="true" attribute.
• #3441: Improved widget.getClipboardHtml() support for dragging and dropping multiple widgets.

Fixed Issues:

• #3587: [Edge, IE] Fixed: Widget with form input elements loses focus during typing.
• #3705: [Safari] Fixed: Safari incorrectly removes blocks with the editor.extractSelectedHtml() method after selecting all content.
• #1306: Fixed: The Font plugin creates nested HTML <span> tags when reapplying the same font multiple times.
• #3498: Fixed: The editor throws an error during the copy operation when a widget is partially selected.
• #2517: [Chrome, Firefox, Safari] Fixed: Inserting a new image when the selection partially covers an existing enhanced image widget throws an error.
• #3007: [Chrome, Firefox, Safari] Fixed: Cannot modify the editor content once the selection is released over a widget.
• #3698: Fixed: Cutting the selected text when a widget is partially selected merges paragraphs.

API Changes:

• #3387: Added the CKEDITOR.ui.richCombo.select() method.
• #3727: Added new textColor and bgColor commands that apply the selected color chosen by the Color Button plugin.
• #3728: Added new font and fontSize commands that apply the selected font style chosen by the Font plugin.
• #3842: Added the editor.getSelectedRanges() alias.
• #3775: Widget mask and parts can now be refreshed dynamically via API calls.

Fixed Issues:

• #875: Fixed: Pasting inside the editor that contains a table with the Table Selection plugin after selecting all content replaces only the table element instead of the entire content.
• #3415: [Firefox] Fixed: Pasting individual list elements fails. Thanks to Jack Wickham!
• #3413: Fixed: Menu items with labels containing double quotes are rendered incorrectly.
• #3475: [Firefox] Fixed: Pasting plain text over existing content fails and throws an error.
• #2027: Fixed: Incorrect email display text after reopening the Link dialog for display names starting with @.
• #3544: Fixed: The Special Characters dialog read incorrectly by screen readers due to empty table cells at the end.
• #1653: Fixed: Balloon Toolbar is not repositioned when the editor is scrolled with the Div Editing Area feature enabled.
• #3559: Fixed: Color Dialog is incorrectly positioned when used with another dialog.
• #3593: Fixed: Cannot access a text or comment node when replacing an element node with them via CKEDITOR.htmlParser.filter.
• #3524: Fixed: The Easy Image plugin throws an error when any image with an unsupported data type is pasted into the editor.
• #3552: Fixed: Incorrect value of CKEDITOR.plugins.widget.repository#selected after selecting the whole editor content.
• #3586: Fixed: Content pasted from Microsoft Excel is not correctly recognised by the Paste from Word plugin.
• #3585: [Firefox] Fixed: Microsoft Excel content is pasted as an image.
• #3625: [Firefox] Fixed: Microsoft PowerPoint content is pasted as an image.
• #3474: Fixed: Incorrect focus order after any tab in a dialog was clicked.
• #3689: Fixed: Cannot change dialog tabs with keyboard arrow keys after focusing any tab with a mouse click.

API Changes:

• #3634: Added the CKEDITOR.plugins.clipboard.dataTransfer#getTypes() method.