Issue summary: It was possible to execute an XSS-type attack inside CKEditor 4 by persuading a victim to paste a specially crafted HTML code into the Color Button dialog.
An upgrade is highly recommended!
#4293: Fixed: The
CKEDITOR.inlineAll()method tries to initialize inline editor also on elements with an editor already attached to them.
- #3961: Fixed: The Table Resize plugin prevents editing of merged cells.
- #3649: Fixed: Applying a block format should remove existing block styles.
- #4282: Fixed: The script loader does not execute callback for scripts already loaded when called for the second time. Thanks to Alexander Korotkevich!
#4273: Fixed: A memory leak in the
CKEDITOR.domReady()method connected with not removing
loadevent listeners. Thanks to rohit1!
#1330: Fixed: Incomplete CSS margin parsing if an
0value is used.
#4286: Fixed: The Auto Grow plugin causes the editor width to be set to
0on editor resize.
- #848: Fixed: Arabic text not being "bound" correctly when pasting. Thanks to Thomas Hunkapiller and J. Ivan Duarte Rodríguez!