A cross-site scripting vulnerability has been discovered affecting Iframe Dialog and Media Embed plugins.
This vulnerability might affect a small percentage of integrators that depend on dynamic editor initialization/destroy mechanism. See GitHub advisory for more details.
Potential breaking changes
In some rare cases, a security release may introduce a breaking change to your application. We have provided configuration options that will help you mitigate any potential issues with the upgrade:
- Starting from version 4.21, the Iframe Dialog plugin applies the
- Starting from version 4.21, the Media Embed plugin regenerates the entire content of the embed widget by default. To change this behavior, configure the
If you choose to change either of the above options, make sure to properly configure Content Security Policy to avoid any potential security issues that may arise from embedding iframe elements on your web page.
You can read more details in the relevant security advisory and contact us if you have more questions.
An upgrade is highly recommended!
#4400: Added the
config.uploadImage_supportedTypesconfiguration option allowing to change the image formats accepted by the Upload Image plugin. Thanks to SilverYoCha!
- #5431: Fixed: No notification is shown when pasting or dropping unsupported image types into the editor.