Security Updates:

A cross-site scripting vulnerability has been discovered affecting Iframe Dialog and Media Embed plugins.

This vulnerability might affect a small percentage of integrators that depend on dynamic editor initialization/destroy mechanism. See GitHub advisory for more details.

Potential breaking changes

In some rare cases, a security release may introduce a breaking change to your application. We have provided configuration options that will help you mitigate any potential issues with the upgrade:

• Starting from version 4.21, the Iframe Dialog plugin applies the sandbox attribute by default, which restricts JavaScript code execution in the iframe element. To change this behavior, configure the config.iframe_attributes option.
• Starting from version 4.21, the Media Embed plugin regenerates the entire content of the embed widget by default. To change this behavior, configure the config.embed_keepOriginalContent option.

If you choose to change either of the above options, make sure to properly configure Content Security Policy to avoid any potential security issues that may arise from embedding iframe elements on your web page.

You can read more details in the relevant security advisory and contact us if you have more questions.

An upgrade is highly recommended!

New Features:

• #4400: Added the config.uploadImage_supportedTypes configuration option allowing to change the image formats accepted by the Upload Image plugin. Thanks to SilverYoCha!

Fixed Issues:

• #5431: Fixed: No notification is shown when pasting or dropping unsupported image types into the editor.