CKEditor 4

Security Updates:

• Fixed XSS vulnerability in the HTML parser reported by maxarr.

  Issue summary: It was possible to execute XSS inside CKEditor after persuading the victim to: (i) switch CKEditor to source mode, then (ii) paste a specially crafted HTML code, prepared by the attacker, into the opened CKEditor source area, and (iii) switch back to WYSIWYG mode.

An upgrade is highly recommended!

New Features:

• #2062: Added the emoji dropdown that allows the user to choose the emoji from the toolbar and search for them using keywords.
• #2154: The Link plugin now supports phone number links.
• #1815: The Auto Link plugin supports typing link completion.
• #2478: Link can be inserted using the Ctrl/Cmd + K keystroke.
• #651: Text pasted using the Paste from Word plugin preserves indentation in paragraphs.
• #2248: Added support for justification in the BBCode plugin. Thanks to MatÄ›j Kmínek!
• #706: Added a different cursor style when selecting cells for the Table Selection plugin.
• #2072: The UI Button plugin supports custom aria-haspopup property values. The Menu Button aria-haspopupvalue is now menu, the Panel Button and Rich Combo aria-haspopup value is now listbox.
• #1176: The Balloon Panel can now be attached to a selection instead of an element.
• #2202: Added the contextmenu_contentsCss configuration option to allow adding custom CSS to the Context Menu.

Fixed Issues:

• #1477: Fixed: On destroy, Balloon Toolbar does not destroy its content.
• #2394: Fixed: Emoji dropdown does not show up with repeated symbols in a single line.
• #1181: [Chrome] Fixed: Opening the context menu in a read-only editor results in an error.
• #2276: [iOS] Fixed: Button state does not refresh properly.
• #1489: Fixed: Table contents can be removed in read-only mode when the Table Selection plugin is used.
• #1264 Fixed: Right-click does not clear the selection created with the Table Selection plugin.
• #586 Fixed: The required attribute is not correctly recognized by the Form Elements plugin dialog. Thanks to Roli Züger!
• #2380 Fixed: Styling HTML comments in a top-level element results in extra paragraphs.
• #2294 Fixed: Pasting content from Microsoft Outlook and then bolding it results in an error.
• #2035 [Edge] Fixed: Permission denied is thrown when opening a Panel instance.
• #965 Fixed: The config.forceSimpleAmpersand option does not work. Thanks to Alex Maris!
• #2448: Fixed: The [Escape HTML Entities] plugin with custom additional entities configuration breaks HTML escaping.
• #898: Fixed: Enhanced Image long alternative text protrudes into the editor when the image is selected.
• #1113: [Firefox] Fixed: Nested contenteditable elements path is not updated on focus with the Div Editing Area plugin.
• #1682 Fixed: Hovering the Balloon Toolbar panel changes its size, causing flickering.
• #421 Fixed: Expandable Button puts the (Selected) text at the end of the label when clicked.
• #1454: Fixed: The onAbort method of the Upload Widget is not called when the loader is aborted.
• #1451: Fixed: The context menu is incorrectly positioned when opened with Shift+F10.
• #1722: CKEDITOR.filter.instances is causing memory leaks.
• #2491: Fixed: The Mentions plugin is not matching diacritic characters.
• #2519: Fixed: The Accessibility Help dialog should display all available keystrokes for a single command.

API Changes:

• #2453: The CKEDITOR.ui.panel.block.getItems method now also returns input elements in addition to links.
• #2224: The CKEDITOR.tools.convertToPx function now converts negative values.
• #2253: The widget definition insert method now passes editor and commandData. Thanks to marcparmet!
• #2045: Extracted tools.eventsBuffer and tools.throttle functions logic into a separate namespace.
  • tools.eventsBuffer was extracted into tools.buffers.event,
  • tools.throttle was extracted into tools.buffers.throttle.
• #2466: The CKEDITOR.filter constructor accepts an additional rules parameter allowing to bind the editor and filter together.
• #2493: The editor.getCommandKeystroke method accepts an additional all parameter allowing to retrieve an array of all command keystrokes.
• #2483: Button's DOM element created with the hasArrow definition option can by identified by the .cke_button_expandable CSS class.

Other Changes:

• #1713: Removed the redundant lang.title entry from the Clipboard plugin.

New Features:

• #1751: Introduced the Autocomplete feature that consists of the following plugins:
  • Autocomplete – Provides contextual completion feature for custom text matches based on user input.
  • Text Watcher – Checks whether an editor's text change matches the chosen criteria.
  • Text Match – Allows to search CKEDITOR.dom.range for matching text.
• #1703: Introduced the Mentions plugin providing smart completion feature for custom text matches based on user input starting with a chosen marker character.
• #1746: Introduced the Emoji plugin providing completion feature for emoji ideograms.
• #1761: The Auto Link plugin now supports email links.

Fixed Issues:

• #1458: [Edge] Fixed: After blurring the editor it takes 2 clicks to focus a widget.
• #1034: Fixed: JAWS leaves forms mode after pressing the Enter key in an inline editor instance.
• #1748: Fixed: Missing CKEDITOR.dialog.definition.onHide API documentation. Thanks to sunnyone!
• #1321: Ideographic space character (\u3000) is lost when pasting text.
• #1776: Empty caption placeholder of the Image Base plugin is not hidden when blurred.
• #1592: The Image Base plugin caption is not visible after paste.
• #620: Fixed: The config.forcePasteAsPlainText option is not respected in internal and cross-editor pasting.
• #1467: Fixed: The resizing cursor of the Table Resize plugin appearing in the middle of a merged cell.

API Changes:

• #850: Backward incompatibility: Replaced the replace dialog from the Find / Replace plugin with a tabId option in the find command.
• #1582: The CKEDITOR.editor.addCommand() method can now accept a CKEDITOR.command instance as a parameter.
• #1712: The extraPlugins, removePlugins and plugins configuration options allow whitespace.
• #1802: The extraPlugins, removePlugins and plugins configuration options allow passing plugin names as an array.
• #1724: Added an option to the getClientRect() function allowing to retrieve an absolute bounding rectangle of the element, i.e. a position relative to the upper-left corner of the topmost viewport.
• #1498 : Added a new getClientRects() method to CKEDITOR.dom.range. It returns a list of rectangles for each selected element.
• #1993: Added the CKEDITOR.tools.throttle() function.

Other Changes:

• Updated SCAYT (Spell Check As You Type) and WebSpellChecker (WSC) plugins:
  • Language dictionary update: Added support for the Uzbek Latin language.
  • Languages no longer supported as additional languages: Manx - Isle of Man (gv_GB) and Interlingua (ia_XR).
  • Extended and improved language dictionaries: Georgian and Swedish. Also added the missing word "Ensure" to the American, British and Canada English language.
  • #141 Fixed: SCAYT throws "Uncaught Error: Error in RangyWrappedRange module: createRange(): Parameter must be a Window object or DOM node".
  • #153 [Chrome] Fixed: Correcting a word in the widget in SCAYT moves focus to another editable.
  • #155 [IE8] Fixed: SCAYT throws an error and does not work.
  • #156 [IE10] Fixed: SCAYT does not seem to work.
  • Fixed: After some text is dragged and dropped, the markup is not refreshed for grammar problems in SCAYT.
  • Fixed: Request to FastCGI fails when the user tries to replace a word with non-English characters with a proper suggestion in WSC.
  • [Firefox] Fixed: Ctrl+Z removes focus in SCAYT.
  • Grammar support for default languages was improved.
  • New application source URL was added in SCAYT.
  • Removed green marks and legend related to grammar-supported languages in the Languages tab of SCAYT. Grammar is now supported for almost all the anguages in the list for an additional fee.
  • Fixed: JavaScript error in the console: "Cannot read property 'split' of undefined" in SCAYT and WSC.
  • [IE10] Fixed: Markup is not set for a specific case in SCAYT.
  • Fixed: Accessibility issue: No alt attribute for the logo image in the About tab of SCAYT.