Security Updates:
-
Fixed XSS vulnerability in the HTML parser reported by maxarr.
Issue summary: It was possible to execute XSS inside CKEditor after persuading the victim to: (i) switch CKEditor to source mode, then (ii) paste a specially crafted HTML code, prepared by the attacker, into the opened CKEditor source area, and (iii) switch back to WYSIWYG mode.
An upgrade is highly recommended!
New Features:
- #2062: Added the emoji dropdown that allows the user to choose the emoji from the toolbar and search for them using keywords.
- #2154: The Link plugin now supports phone number links.
- #1815: The Auto Link plugin supports typing link completion.
- #2478: Link can be inserted using the Ctrl/Cmd + K keystroke.
- #651: Text pasted using the Paste from Word plugin preserves indentation in paragraphs.
- #2248: Added support for justification in the BBCode plugin. Thanks to Matěj Kmínek!
- #706: Added a different cursor style when selecting cells for the Table Selection plugin.
-
#2072: The UI Button plugin supports custom
aria-haspopup
property values. The Menu Buttonaria-haspopup
value is nowmenu
, the Panel Button and Rich Comboaria-haspopup
value is nowlistbox
. - #1176: The Balloon Panel can now be attached to a selection instead of an element.
-
#2202: Added the
contextmenu_contentsCss
configuration option to allow adding custom CSS to the Context Menu.
Fixed Issues:
- #1477: Fixed: On destroy, Balloon Toolbar does not destroy its content.
- #2394: Fixed: Emoji dropdown does not show up with repeated symbols in a single line.
- #1181: [Chrome] Fixed: Opening the context menu in a read-only editor results in an error.
- #2276: [iOS] Fixed: Button state does not refresh properly.
- #1489: Fixed: Table contents can be removed in read-only mode when the Table Selection plugin is used.
- #1264 Fixed: Right-click does not clear the selection created with the Table Selection plugin.
-
#586 Fixed: The
required
attribute is not correctly recognized by the Form Elements plugin dialog. Thanks to Roli Züger! - #2380 Fixed: Styling HTML comments in a top-level element results in extra paragraphs.
- #2294 Fixed: Pasting content from Microsoft Outlook and then bolding it results in an error.
-
#2035 [Edge] Fixed:
Permission denied
is thrown when opening a Panel instance. -
#965 Fixed: The
config.forceSimpleAmpersand
option does not work. Thanks to Alex Maris! -
#2448: Fixed: The [
Escape HTML Entities
] plugin with custom additional entities configuration breaks HTML escaping. - #898: Fixed: Enhanced Image long alternative text protrudes into the editor when the image is selected.
- #1113: [Firefox] Fixed: Nested contenteditable elements path is not updated on focus with the Div Editing Area plugin.
- #1682 Fixed: Hovering the Balloon Toolbar panel changes its size, causing flickering.
-
#421 Fixed: Expandable Button puts the
(Selected)
text at the end of the label when clicked. -
#1454: Fixed: The
onAbort
method of the Upload Widget is not called when the loader is aborted. - #1451: Fixed: The context menu is incorrectly positioned when opened with Shift+F10.
-
#1722:
CKEDITOR.filter.instances
is causing memory leaks. - #2491: Fixed: The Mentions plugin is not matching diacritic characters.
- #2519: Fixed: The Accessibility Help dialog should display all available keystrokes for a single command.
API Changes:
-
#2453: The
CKEDITOR.ui.panel.block.getItems
method now also returnsinput
elements in addition to links. -
#2224: The
CKEDITOR.tools.convertToPx
function now converts negative values. -
#2253: The widget definition
insert
method now passeseditor
andcommandData
. Thanks to marcparmet! -
#2045: Extracted
tools.eventsBuffer
andtools.throttle
functions logic into a separate namespace.-
tools.eventsBuffer
was extracted intotools.buffers.event
, -
tools.throttle
was extracted intotools.buffers.throttle
.
-
-
#2466: The
CKEDITOR.filter
constructor accepts an additionalrules
parameter allowing to bind the editor and filter together. -
#2493: The
editor.getCommandKeystroke
method accepts an additionalall
parameter allowing to retrieve an array of all command keystrokes. -
#2483: Button's DOM element created with the
hasArrow
definition option can by identified by the.cke_button_expandable
CSS class.
Other Changes:
Fixed Issues:
-
#2114: Fixed: Autocomplete cannot be initialized before
instanceReady
. - #2107: Fixed: Holding and releasing the mouse button is not inserting an autocomplete suggestion.
- #2167: Fixed: Matching in Emoji plugin is not case insensitive.
- #2195: Fixed: Emoji shows the suggestion box when the colon is preceded with other characters than white space.
- #2169: [Edge] Fixed: Error thrown when pasting into the editor.
- #1084 Fixed: Using the "Automatic" option with Color Button on a text with the color already defined sets an invalid color value.
- #2271: Fixed: Custom color name not used as a label in the Color Button plugin. Thanks to Eric Geloen!
- #2296: Fixed: Color Button throws an error when activated on a content containing HTML comments.
-
#966: Fixed: Executing
editor.destroy()
during the file upload throws an error. Thanks to Maksim Makarevich! - #1719: Fixed: Ctrl/Cmd + A inadvertently focuses inline editor if it is starting and ending with a list. Thanks to theNailz!
-
#1046: Fixed: Subsequent new links do not include the
id
attribute. Thanks to Nathan Samson! - #1348: Fixed: Enhanced Image plugin aspect ratio locking uses an old width and height on image URL change.
- #1791: Fixed: Image and Enhanced Image plugins can be enabled when Easy Image is present.
- #2254: Fixed: Image ratio locking is too precise for resized images. Thanks to Jonathan Gilbert!
- #1184: [IE8-11] Fixed: Copying and pasting data in read-only mode throws an error.
- #1916: [IE9-11] Fixed: Pressing the Delete key in read-only mode throws an error.
- #2003: [Firefox] Fixed: Right-clicking multiple selected table cells containing empty paragraphs removes the selection.
- #1816: Fixed: Table breaks when Enter is pressed over the Table Selection plugin.
-
#1115: Fixed: The
<font>
tag is not preserved when proper configuration is provided and a style is applied by the Font plugin. - #727: Fixed: Custom styles may be invisible in the Styles Combo plugin.
-
#988: Fixed: ACF-enabled custom elements prefixed with
object
,embed
,param
are removed from the editor content.
API Changes:
-
#2249: Added the
editor.plugins.detectConflict()
method finding conflicts between provided plugins.
New Features:
-
#1751: Introduced the Autocomplete feature that consists of the following plugins:
- Autocomplete – Provides contextual completion feature for custom text matches based on user input.
- Text Watcher – Checks whether an editor's text change matches the chosen criteria.
-
Text Match – Allows to search
CKEDITOR.dom.range
for matching text.
- #1703: Introduced the Mentions plugin providing smart completion feature for custom text matches based on user input starting with a chosen marker character.
- #1746: Introduced the Emoji plugin providing completion feature for emoji ideograms.
- #1761: The Auto Link plugin now supports email links.
Fixed Issues:
- #1458: [Edge] Fixed: After blurring the editor it takes 2 clicks to focus a widget.
- #1034: Fixed: JAWS leaves forms mode after pressing the Enter key in an inline editor instance.
-
#1748: Fixed: Missing
CKEDITOR.dialog.definition.onHide
API documentation. Thanks to sunnyone! -
#1321: Ideographic space character (
\u3000
) is lost when pasting text. - #1776: Empty caption placeholder of the Image Base plugin is not hidden when blurred.
- #1592: The Image Base plugin caption is not visible after paste.
-
#620: Fixed: The
config.forcePasteAsPlainText
option is not respected in internal and cross-editor pasting. - #1467: Fixed: The resizing cursor of the Table Resize plugin appearing in the middle of a merged cell.
API Changes:
-
#850: Backward incompatibility: Replaced the
replace
dialog from the Find / Replace plugin with atabId
option in thefind
command. -
#1582: The
CKEDITOR.editor.addCommand()
method can now accept aCKEDITOR.command
instance as a parameter. -
#1712: The
extraPlugins
,removePlugins
andplugins
configuration options allow whitespace. -
#1802: The
extraPlugins
,removePlugins
andplugins
configuration options allow passing plugin names as an array. -
#1724: Added an option to the
getClientRect()
function allowing to retrieve an absolute bounding rectangle of the element, i.e. a position relative to the upper-left corner of the topmost viewport. -
#1498 : Added a new
getClientRects()
method toCKEDITOR.dom.range
. It returns a list of rectangles for each selected element. -
#1993: Added the
CKEDITOR.tools.throttle()
function.
Other Changes:
- Updated SCAYT (Spell Check As You Type) and WebSpellChecker (WSC) plugins:
- Language dictionary update: Added support for the Uzbek Latin language.
- Languages no longer supported as additional languages: Manx - Isle of Man (
gv_GB
) and Interlingua (ia_XR
). - Extended and improved language dictionaries: Georgian and Swedish. Also added the missing word "Ensure" to the American, British and Canada English language.
- #141 Fixed: SCAYT throws "Uncaught Error: Error in RangyWrappedRange module: createRange(): Parameter must be a Window object or DOM node".
- #153 [Chrome] Fixed: Correcting a word in the widget in SCAYT moves focus to another editable.
- #155 [IE8] Fixed: SCAYT throws an error and does not work.
- #156 [IE10] Fixed: SCAYT does not seem to work.
- Fixed: After some text is dragged and dropped, the markup is not refreshed for grammar problems in SCAYT.
- Fixed: Request to FastCGI fails when the user tries to replace a word with non-English characters with a proper suggestion in WSC.
- [Firefox] Fixed: Ctrl+Z removes focus in SCAYT.
- Grammar support for default languages was improved.
- New application source URL was added in SCAYT.
- Removed green marks and legend related to grammar-supported languages in the Languages tab of SCAYT. Grammar is now supported for almost all the anguages in the list for an additional fee.
- Fixed: JavaScript error in the console: "Cannot read property 'split' of undefined" in SCAYT and WSC.
- [IE10] Fixed: Markup is not set for a specific case in SCAYT.
- Fixed: Accessibility issue: No
alt
attribute for the logo image in the About tab of SCAYT.
Security Updates:
-
Fixed XSS vulnerability in the Enhanced Image (
image2
) plugin reported by Kyaw Min Thein.Issue summary: It was possible to execute XSS inside CKEditor using the
<img>
tag and specially crafted HTML. Please note that the default presets (Basic/Standard/Full) do not include this plugin, so you are only at risk if you made a custom build and enabled this plugin.
Fixed Issues:
- #1835: Fixed: Integration between CKFinder and File Browser plugin does not work.