Fixed XSS vulnerability in the HTML parser reported by maxarr.
Issue summary: It was possible to execute XSS inside CKEditor after persuading the victim to: (i) switch CKEditor to source mode, then (ii) paste a specially crafted HTML code, prepared by the attacker, into the opened CKEditor source area, and (iii) switch back to WYSIWYG mode.
An upgrade is highly recommended!
- #2062: Added the emoji dropdown that allows the user to choose the emoji from the toolbar and search for them using keywords.
- #2154: The Link plugin now supports phone number links.
- #1815: The Auto Link plugin supports typing link completion.
- #2478: Link can be inserted using the Ctrl/Cmd + K keystroke.
- #651: Text pasted using the Paste from Word plugin preserves indentation in paragraphs.
- #2248: Added support for justification in the BBCode plugin. Thanks to Matěj Kmínek!
- #706: Added a different cursor style when selecting cells for the Table Selection plugin.
#2072: The UI Button plugin supports custom
aria-haspopupproperty values. The Menu Button
aria-haspopupvalue is now
menu, the Panel Button and Rich Combo
aria-haspopupvalue is now
- #1176: The Balloon Panel can now be attached to a selection instead of an element.
#2202: Added the
contextmenu_contentsCssconfiguration option to allow adding custom CSS to the Context Menu.
- #1477: Fixed: On destroy, Balloon Toolbar does not destroy its content.
- #2394: Fixed: Emoji dropdown does not show up with repeated symbols in a single line.
- #1181: [Chrome] Fixed: Opening the context menu in a read-only editor results in an error.
- #2276: [iOS] Fixed: Button state does not refresh properly.
- #1489: Fixed: Table contents can be removed in read-only mode when the Table Selection plugin is used.
- #1264 Fixed: Right-click does not clear the selection created with the Table Selection plugin.
#586 Fixed: The
requiredattribute is not correctly recognized by the Form Elements plugin dialog. Thanks to Roli Züger!
- #2380 Fixed: Styling HTML comments in a top-level element results in extra paragraphs.
- #2294 Fixed: Pasting content from Microsoft Outlook and then bolding it results in an error.
#2035 [Edge] Fixed:
Permission deniedis thrown when opening a Panel instance.
#965 Fixed: The
config.forceSimpleAmpersandoption does not work. Thanks to Alex Maris!
#2448: Fixed: The [
Escape HTML Entities] plugin with custom additional entities configuration breaks HTML escaping.
- #898: Fixed: Enhanced Image long alternative text protrudes into the editor when the image is selected.
- #1113: [Firefox] Fixed: Nested contenteditable elements path is not updated on focus with the Div Editing Area plugin.
- #1682 Fixed: Hovering the Balloon Toolbar panel changes its size, causing flickering.
#421 Fixed: Expandable Button puts the
(Selected)text at the end of the label when clicked.
#1454: Fixed: The
onAbortmethod of the Upload Widget is not called when the loader is aborted.
- #1451: Fixed: The context menu is incorrectly positioned when opened with Shift+F10.
CKEDITOR.filter.instancesis causing memory leaks.
- #2491: Fixed: The Mentions plugin is not matching diacritic characters.
- #2519: Fixed: The Accessibility Help dialog should display all available keystrokes for a single command.
CKEDITOR.ui.panel.block.getItemsmethod now also returns
inputelements in addition to links.
CKEDITOR.tools.convertToPxfunction now converts negative values.
#2253: The widget definition
insertmethod now passes
commandData. Thanks to marcparmet!
tools.throttlefunctions logic into a separate namespace.
CKEDITOR.filterconstructor accepts an additional
rulesparameter allowing to bind the editor and filter together.
editor.getCommandKeystrokemethod accepts an additional
allparameter allowing to retrieve an array of all command keystrokes.
#2483: Button's DOM element created with the
hasArrowdefinition option can by identified by the