Security Updates:

  • Fixed XSS vulnerability in the HTML parser reported by maxarr.

    Issue summary: It was possible to execute XSS inside CKEditor after persuading the victim to: (i) switch CKEditor to source mode, then (ii) paste a specially crafted HTML code, prepared by the attacker, into the opened CKEditor source area, and (iii) switch back to WYSIWYG mode.

An upgrade is highly recommended!

New Features:

  • #2062: Added the emoji dropdown that allows the user to choose the emoji from the toolbar and search for them using keywords.
  • #2154: The Link plugin now supports phone number links.
  • #1815: The Auto Link plugin supports typing link completion.
  • #2478Link can be inserted using the Ctrl/Cmd + K keystroke.
  • #651: Text pasted using the Paste from Word plugin preserves indentation in paragraphs.
  • #2248: Added support for justification in the BBCode plugin. Thanks to Matěj Kmínek!
  • #706: Added a different cursor style when selecting cells for the Table Selection plugin.
  • #2072: The UI Button plugin supports custom aria-haspopup property values. The Menu Button aria-haspopupvalue is now menu, the Panel Button and Rich Combo aria-haspopup value is now listbox.
  • #1176: The Balloon Panel can now be attached to a selection instead of an element.
  • #2202: Added the contextmenu_contentsCss configuration option to allow adding custom CSS to the Context Menu.

Fixed Issues:

  • #1477: Fixed: On destroy, Balloon Toolbar does not destroy its content.
  • #2394: Fixed: Emoji dropdown does not show up with repeated symbols in a single line.
  • #1181: [Chrome] Fixed: Opening the context menu in a read-only editor results in an error.
  • #2276: [iOS] Fixed: Button state does not refresh properly.
  • #1489: Fixed: Table contents can be removed in read-only mode when the Table Selection plugin is used.
  • #1264 Fixed: Right-click does not clear the selection created with the Table Selection plugin.
  • #586 Fixed: The required attribute is not correctly recognized by the Form Elements plugin dialog. Thanks to Roli Züger!
  • #2380 Fixed: Styling HTML comments in a top-level element results in extra paragraphs.
  • #2294 Fixed: Pasting content from Microsoft Outlook and then bolding it results in an error.
  • #2035 [Edge] Fixed: Permission denied is thrown when opening a Panel instance.
  • #965 Fixed: The config.forceSimpleAmpersand option does not work. Thanks to Alex Maris!
  • #2448: Fixed: The [Escape HTML Entities] plugin with custom additional entities configuration breaks HTML escaping.
  • #898: Fixed: Enhanced Image long alternative text protrudes into the editor when the image is selected.
  • #1113: [Firefox] Fixed: Nested contenteditable elements path is not updated on focus with the Div Editing Area plugin.
  • #1682 Fixed: Hovering the Balloon Toolbar panel changes its size, causing flickering.
  • #421 Fixed: Expandable Button puts the (Selected) text at the end of the label when clicked.
  • #1454: Fixed: The onAbort method of the Upload Widget is not called when the loader is aborted.
  • #1451: Fixed: The context menu is incorrectly positioned when opened with Shift+F10.
  • #1722CKEDITOR.filter.instances is causing memory leaks.
  • #2491: Fixed: The Mentions plugin is not matching diacritic characters.
  • #2519: Fixed: The Accessibility Help dialog should display all available keystrokes for a single command.

API Changes:

Other Changes:

  • #1713: Removed the redundant lang.title entry from the Clipboard plugin.
Twitter Facebook Facebook Instagram Medium Google+ GitHub Arrow down Phone Menu Close icon Check