Security Updates:

• Fixed XSS vulnerability in the Color History feature reported by Mark Wade.

  Issue summary: It was possible to execute an XSS-type attack inside CKEditor 4 by persuading a victim to paste a specially crafted HTML code into the Color Button dialog.

An upgrade is highly recommended!

Fixed Issues:

• #4293: Fixed: The CKEDITOR.inlineAll() method tries to initialize inline editor also on elements with an editor already attached to them.
• #3961: Fixed: The Table Resize plugin prevents editing of merged cells.
• #3649: Fixed: Applying a block format should remove existing block styles.
• #4282: Fixed: The script loader does not execute callback for scripts already loaded when called for the second time. Thanks to Alexander Korotkevich!
• #4273: Fixed: A memory leak in the CKEDITOR.domReady() method connected with not removing load event listeners. Thanks to rohit1!
• #1330: Fixed: Incomplete CSS margin parsing if an auto or 0 value is used.
• #4286: Fixed: The Auto Grow plugin causes the editor width to be set to 0 on editor resize.
• #848: Fixed: Arabic text not being "bound" correctly when pasting. Thanks to Thomas Hunkapiller and J. Ivan Duarte Rodríguez!

API Changes:

• #3649: Added a new stylesRemove editor event.

Other Changes:

• #4262: Removed the global reference to the stylesLoaded variable. Thanks to Levi Carter!
• Updated the Export to PDF plugin to 1.0.1 version:
  • Improved external CSS support for classic editor by handling exceptions and displaying convenient error messages.