Fixed XSS vulnerability in the HTML parser reported by maxarr.
Issue summary: It was possible to execute XSS inside CKEditor after persuading the victim to: (i) switch CKEditor to source mode, then (ii) paste a specially crafted HTML code, prepared by the attacker, into the opened CKEditor source area, and (iii) switch back to WYSIWYG mode.
An upgrade is highly recommended!
- #2062: Added the emoji dropdown that allows the user to choose the emoji from the toolbar and search for them using keywords.
- #2154: The Link plugin now supports phone number links.
- #1815: The Auto Link plugin supports typing link completion.
- #2478: Link can be inserted using the Ctrl/Cmd + K keystroke.
- #651: Text pasted using the Paste from Word plugin preserves indentation in paragraphs.
- #2248: Added support for justification in the BBCode plugin. Thanks to Matěj Kmínek!
- #706: Added a different cursor style when selecting cells for the Table Selection plugin.
#2072: The UI Button plugin supports custom
aria-haspopupproperty values. The Menu Button
aria-haspopupvalue is now
menu, the Panel Button and Rich Combo
aria-haspopupvalue is now
- #1176: The Balloon Panel can now be attached to a selection instead of an element.
#2202: Added the
contextmenu_contentsCssconfiguration option to allow adding custom CSS to the Context Menu.
- #1477: Fixed: On destroy, Balloon Toolbar does not destroy its content.
- #2394: Fixed: Emoji dropdown does not show up with repeated symbols in a single line.
- #1181: [Chrome] Fixed: Opening the context menu in a read-only editor results in an error.
- #2276: [iOS] Fixed: Button state does not refresh properly.
- #1489: Fixed: Table contents can be removed in read-only mode when the Table Selection plugin is used.
- #1264 Fixed: Right-click does not clear the selection created with the Table Selection plugin.
#586 Fixed: The
requiredattribute is not correctly recognized by the Form Elements plugin dialog. Thanks to Roli Züger!
- #2380 Fixed: Styling HTML comments in a top-level element results in extra paragraphs.
- #2294 Fixed: Pasting content from Microsoft Outlook and then bolding it results in an error.
#2035 [Edge] Fixed:
Permission deniedis thrown when opening a Panel instance.
#965 Fixed: The
config.forceSimpleAmpersandoption does not work. Thanks to Alex Maris!
#2448: Fixed: The [
Escape HTML Entities] plugin with custom additional entities configuration breaks HTML escaping.
- #898: Fixed: Enhanced Image long alternative text protrudes into the editor when the image is selected.
- #1113: [Firefox] Fixed: Nested contenteditable elements path is not updated on focus with the Div Editing Area plugin.
- #1682 Fixed: Hovering the Balloon Toolbar panel changes its size, causing flickering.
#421 Fixed: Expandable Button puts the
(Selected)text at the end of the label when clicked.
#1454: Fixed: The
onAbortmethod of the Upload Widget is not called when the loader is aborted.
- #1451: Fixed: The context menu is incorrectly positioned when opened with Shift+F10.
CKEDITOR.filter.instancesis causing memory leaks.
- #2491: Fixed: The Mentions plugin is not matching diacritic characters.
- #2519: Fixed: The Accessibility Help dialog should display all available keystrokes for a single command.
CKEDITOR.ui.panel.block.getItemsmethod now also returns
inputelements in addition to links.
CKEDITOR.tools.convertToPxfunction now converts negative values.
#2253: The widget definition
insertmethod now passes
commandData. Thanks to marcparmet!
tools.throttlefunctions logic into a separate namespace.
tools.eventsBufferwas extracted into
tools.throttlewas extracted into
CKEDITOR.filterconstructor accepts an additional
rulesparameter allowing to bind the editor and filter together.
editor.getCommandKeystrokemethod accepts an additional
allparameter allowing to retrieve an array of all command keystrokes.
#2483: Button's DOM element created with the
hasArrowdefinition option can by identified by the