Security Updates:
-
Fixed XSS vulnerability in the HTML parser reported by maxarr.
Issue summary: It was possible to execute XSS inside CKEditor after persuading the victim to: (i) switch CKEditor to source mode, then (ii) paste a specially crafted HTML code, prepared by the attacker, into the opened CKEditor source area, and (iii) switch back to WYSIWYG mode.
An upgrade is highly recommended!
New Features:
- #2062: Added the emoji dropdown that allows the user to choose the emoji from the toolbar and search for them using keywords.
- #2154: The Link plugin now supports phone number links.
- #1815: The Auto Link plugin supports typing link completion.
- #2478: Link can be inserted using the Ctrl/Cmd + K keystroke.
- #651: Text pasted using the Paste from Word plugin preserves indentation in paragraphs.
- #2248: Added support for justification in the BBCode plugin. Thanks to Matěj Kmínek!
- #706: Added a different cursor style when selecting cells for the Table Selection plugin.
-
#2072: The UI Button plugin supports custom
aria-haspopup
property values. The Menu Buttonaria-haspopup
value is nowmenu
, the Panel Button and Rich Comboaria-haspopup
value is nowlistbox
. - #1176: The Balloon Panel can now be attached to a selection instead of an element.
-
#2202: Added the
contextmenu_contentsCss
configuration option to allow adding custom CSS to the Context Menu.
Fixed Issues:
- #1477: Fixed: On destroy, Balloon Toolbar does not destroy its content.
- #2394: Fixed: Emoji dropdown does not show up with repeated symbols in a single line.
- #1181: [Chrome] Fixed: Opening the context menu in a read-only editor results in an error.
- #2276: [iOS] Fixed: Button state does not refresh properly.
- #1489: Fixed: Table contents can be removed in read-only mode when the Table Selection plugin is used.
- #1264 Fixed: Right-click does not clear the selection created with the Table Selection plugin.
-
#586 Fixed: The
required
attribute is not correctly recognized by the Form Elements plugin dialog. Thanks to Roli Züger! - #2380 Fixed: Styling HTML comments in a top-level element results in extra paragraphs.
- #2294 Fixed: Pasting content from Microsoft Outlook and then bolding it results in an error.
-
#2035 [Edge] Fixed:
Permission denied
is thrown when opening a Panel instance. -
#965 Fixed: The
config.forceSimpleAmpersand
option does not work. Thanks to Alex Maris! -
#2448: Fixed: The [
Escape HTML Entities
] plugin with custom additional entities configuration breaks HTML escaping. - #898: Fixed: Enhanced Image long alternative text protrudes into the editor when the image is selected.
- #1113: [Firefox] Fixed: Nested contenteditable elements path is not updated on focus with the Div Editing Area plugin.
- #1682 Fixed: Hovering the Balloon Toolbar panel changes its size, causing flickering.
-
#421 Fixed: Expandable Button puts the
(Selected)
text at the end of the label when clicked. -
#1454: Fixed: The
onAbort
method of the Upload Widget is not called when the loader is aborted. - #1451: Fixed: The context menu is incorrectly positioned when opened with Shift+F10.
-
#1722:
CKEDITOR.filter.instances
is causing memory leaks. - #2491: Fixed: The Mentions plugin is not matching diacritic characters.
- #2519: Fixed: The Accessibility Help dialog should display all available keystrokes for a single command.
API Changes:
-
#2453: The
CKEDITOR.ui.panel.block.getItems
method now also returnsinput
elements in addition to links. -
#2224: The
CKEDITOR.tools.convertToPx
function now converts negative values. -
#2253: The widget definition
insert
method now passeseditor
andcommandData
. Thanks to marcparmet! -
#2045: Extracted
tools.eventsBuffer
andtools.throttle
functions logic into a separate namespace.-
tools.eventsBuffer
was extracted intotools.buffers.event
, -
tools.throttle
was extracted intotools.buffers.throttle
.
-
-
#2466: The
CKEDITOR.filter
constructor accepts an additionalrules
parameter allowing to bind the editor and filter together. -
#2493: The
editor.getCommandKeystroke
method accepts an additionalall
parameter allowing to retrieve an array of all command keystrokes. -
#2483: Button's DOM element created with the
hasArrow
definition option can by identified by the.cke_button_expandable
CSS class.
Other Changes: