Security Updates:
-
Fixed XSS vulnerability in the Clipboard plugin reported by Anton Subbotin.
Issue summary: The vulnerability allowed to abuse paste functionality using malformed HTML, which could result in injecting arbitrary HTML into the editor. See security advisory for more details.
-
Fixed XSS vulnerability in the Widget plugin reported by Anton Subbotin.
Issue summary: The vulnerability allowed to abuse undo functionality using malformed Widget HTML, which could result in executing JavaScript code. See security advisory for more details.
-
Fixed XSS vulnerability in the Fake Objects plugin reported by Mika Kulmala.
Issue summary: The vulnerability allowed to inject malformed Fake Objects HTML, which could result in executing JavaScript code. See security advisory for more details.
You can read more details in the relevant security advisory and contact us if you have more questions.
An upgrade is highly recommended!
Fixed Issues:
- #4777: Fixed: HTML comments in widgets not processed correctly.
- #4733: Fixed: Link prevent duplicate anchors in text with styles.
-
#3819: [Chrome] Fixed: After removing one of the two consecutive spaces, the
character appears in the editor instead of a space. - #4666: [IE] Introduce CSS.escape polyfill. Thanks to limingli0707!
- #3638: Fixed: Opening the same dialog twice causes it to become hidden under the dialog's page cover.
- #4247: Fixed: Color Button's incorrect rendering on the first opening.
- #4555: Fixed: Font styles with attributes are not applied correctly when used multiple times over the same selection.
-
#4782: [Firefox] Fixed:
TypeErroris thrown when switching to Source View and back while Autocomplete plugin is enabled.