Release notes

CKEditor 4.16.2

Aug 12/2021

Security Updates:

Fixed XSS vulnerability in the Clipboard plugin reported by Anton Subbotin.

Issue summary: The vulnerability allowed to abuse paste functionality using malformed HTML, which could result in injecting arbitrary HTML into the editor. See security advisory for more details.
Fixed XSS vulnerability in the Widget plugin reported by Anton Subbotin.

Issue summary: The vulnerability allowed to abuse undo functionality using malformed Widget HTML, which could result in executing JavaScript code. See security advisory for more details.
Fixed XSS vulnerability in the Fake Objects plugin reported by Mika Kulmala.

Issue summary: The vulnerability allowed to inject malformed Fake Objects HTML, which could result in executing JavaScript code. See security advisory for more details.

You can read more details in the relevant security advisory and contact us if you have more questions.

An upgrade is highly recommended!

Fixed Issues:

#4777: Fixed: HTML comments in widgets not processed correctly.
#4733: Fixed: Link prevent duplicate anchors in text with styles.
- #4728: Fixed: Multiple anchors in one line and multi-line with text style.
- #3863: Fixed: Multiple anchors in single word with text style.
#3819: [Chrome] Fixed: After removing one of the two consecutive spaces, the   character appears in the editor instead of a space.
#4666: [IE] Introduce CSS.escape polyfill. Thanks to limingli0707!
- #681: Fixed: Table elements (td, tr, th, ..) with an id that starts with dot (.) causes javascript runtime err.
- #641: Fixed: UploadImage Plugin Widgets not working in IE, Opera, Safari, PhantomJS.
#3638: Fixed: Opening the same dialog twice causes it to become hidden under the dialog's page cover.
#4247: Fixed: Color Button's incorrect rendering on the first opening.
#4555: Fixed: Font styles with attributes are not applied correctly when used multiple times over the same selection.
#4782: [Firefox] Fixed: TypeError is thrown when switching to Source View and back while Autocomplete plugin is enabled.

Download .zip Download .gzip

CKEditor 4.16.1

May 20/2021

Fixed Issues:

#4617: Fixed: Autocomplete is not accessible in inline editors.
#4493: Fixed: The drop-down label does not reflect the current value of the drop-down.
#1572: Fixed: A paragraph before or after a widget cannot be removed. Thanks to bunglegrind!
#4301: Fixed: Pasted content is overwritten when pasted in an initially empty editor with the div Enter mode.
#4351: Fixed: Incorrect values for RGBA/HSLA colors in Color Dialog.
#4509: Fixed: Incorrect handling of drag & drop inside widgets and nested editables.
#4611: [Android, iOS] Fixed: Incorrect hover styles for buttons in the toolbar on mobile devices.
#4652: Fixed: Event data set to false is treated as an event cancelation.

Download .zip Download .gzip

CKEditor 4.16.0

Jan 26/2021

Security Updates:

Fixed ReDoS vulnerability in the Autolink plugin.

Issue summary: It was possible to execute a ReDoS-type attack inside CKEditor 4 by persuading a victim to paste a specially crafted URL-like text into the editor and press Enter or Space.
Fixed ReDoS vulnerability in the Advanced Tab for Dialogs plugin.

Issue summary: It was possible to execute a ReDoS-type attack inside CKEditor 4 by persuading a victim to paste a specially crafted text into the Styles dialog.

An upgrade is highly recommended!

New Features:

#2800: Unsupported image formats are now gracefully handled by the Paste from Word plugin on paste, additionally showing descriptive error messages.
#2800: Unsupported image formats are now gracefully handled by the Paste from LibreOffice plugin on paste, additionally showing descriptive error messages.
#3582: Introduced smart positioning of the Autocomplete panel used by the Mentions and Emoji plugins. The panel will now be additionally positioned related to the browser viewport to be always fully visible.
#4388: Added the option to remove an iframe created with the IFrame Dialog plugin from the sequential keyboard navigation using the tabindex attribute. Thanks to Timo Kirkkala!

Fixed Issues:

#1134: [Safari] Fixed: Paste from Word does not embed images.
#2800: Fixed: No images are imported from Microsoft Word when the content is pasted via the Paste from Word plugin if there is at least one image of unsupported format.
#4379: [Edge] Fixed: Incorrect detection of the high contrast mode.
#4422: Fixed: Missing space between the button name and the keyboard shortcut inside the button label in the high contrast mode.
#2208: [IE] Fixed: The Autolink plugin duplicates the native browser implementation.
#1824: Fixed: The Autolink plugin should require the Link plugin.
#4253: Fixed: The Editor Placeholder plugin throws an error during the editor initialization with config.fullPage enabled when there is no <body> tag in the editor content.
#4372: Fixed: The Autogrow plugin changes the editor's width when used with an absolute config.width value.

API Changes:

#4358: Introduced the CKEDITOR.tools.color class which adds colors validation and methods for converting colors between various formats: named colors, HEX, RGB, RGBA, HSL and HSLA.
#3782: Moved the CKEDITOR.plugins.pastetools.filters.word.images filters to the CKEDITOR.plugins.pastetools.filters.image namespace.
#4297: All CKEDITOR.plugins.pastetools.filters are now available under the CKEDITOR.pasteTools alias.
#4394: Introduced CKEDITOR.ajax specialized loading methods for loading binary (CKEDITOR.ajax.loadBinary()) and text (CKEDITOR.ajax.loadText()) data.

Other Changes:

The WebSpellChecker (WSC) plugin is now disabled by default in Standard and Full presets. It can be enabled via extraPlugins configuration option.

Download .zip Download .gzip

CKEditor 4.15.1

Nov 09/2020

Security Updates:

Fixed XSS vulnerability in the Color History feature reported by Mark Wade.

Issue summary: It was possible to execute an XSS-type attack inside CKEditor 4 by persuading a victim to paste a specially crafted HTML code into the Color Button dialog.

An upgrade is highly recommended!

Fixed Issues:

#4293: Fixed: The CKEDITOR.inlineAll() method tries to initialize inline editor also on elements with an editor already attached to them.
#3961: Fixed: The Table Resize plugin prevents editing of merged cells.
#3649: Fixed: Applying a block format should remove existing block styles.
#4282: Fixed: The script loader does not execute callback for scripts already loaded when called for the second time. Thanks to Alexander Korotkevich!
#4273: Fixed: A memory leak in the CKEDITOR.domReady() method connected with not removing load event listeners. Thanks to rohit1!
#1330: Fixed: Incomplete CSS margin parsing if an auto or 0 value is used.
#4286: Fixed: The Auto Grow plugin causes the editor width to be set to 0 on editor resize.
#848: Fixed: Arabic text not being "bound" correctly when pasting. Thanks to Thomas Hunkapiller and J. Ivan Duarte Rodríguez!

API Changes:

#3649: Added a new stylesRemove editor event.

Other Changes:

#4262: Removed the global reference to the stylesLoaded variable. Thanks to Levi Carter!
Updated the Export to PDF plugin to 1.0.1 version:
- Improved external CSS support for classic editor by handling exceptions and displaying convenient error messages.

Download .zip Download .gzip

CKEditor 4.15.0

Sep 07/2020

New features:

#3940: Introduced the colorName property for customizing foreground and background styles in the Color Button plugin via the config.colorButton_foreStyle and config.colorButton_backStyle configuration options.
#3793: Introduced the Editor Placeholder plugin.
#1795: The colors picked from the Color Dialog are now stored in the Color Button palette and can be reused easily.
#3783: The colors used in the document are now displayed as a part of the Color Button palette.

Fixed Issues:

#4060: Fixed: The content inside a widget nested editable is escaped twice.
#4183: [Safari] Fixed: Incorrect image dimensions when using the Easy Image plugin alongside the IFrame Editing Area plugin.
#3693: Fixed: Incorrect default values for several Color Button configuration variables in the API documentation.
#3795: Fixed: Setting the config.dataIndentationChars configuration option to an empty string is ignored and replaced by a tab (\t) character. Thanks to Thomas Grinderslev!
#4107: Fixed: Multiple Autocomplete instances cause keyboard navigation issues.
#4041: Fixed: Theselection.scrollIntoView method throws an error when the editor selection is not set.
#3361: Fixed: Loading multiple custom editor configurations is prone to a race condition between these.
#4007: Fixed: Screen readers do not announce the Rich Combo plugin is collapsed or expanded.
#4141: Fixed: The styles are incorrectly applied when there is a <select> element inside the editor.

Download .zip Download .gzip