Issue summary: It was possible to execute XSS inside CKEditor after persuading the victim to: (i) switch CKEditor to source mode, then (ii) paste a specially crafted HTML code, prepared by the attacker, into the opened CKEditor source area, and (iii) switch back to WYSIWYG mode.
An upgrade is highly recommended!
- #12899: Fixed: Corrected wrong tag ending for horizontal box definition in the Dialog User Interface plugin. Thanks to mizafish!
- #13254: Fixed: Cannot outdent block after indent when using the Div Editing Area plugin. Thanks to Jonathan Cottrill!
#13268: Fixed: Documentation for
CKEDITOR.dom.textis incorrect. Thanks to Ben Kiefer!
- #12739: Fixed: Link loses inline styles when edited without the Advanced Tab for Dialogs plugin. Thanks to Віталій Крутько!
#13292: Fixed: Protection pattern does not work in attribute in self-closing elements with no space before
/>. Thanks to Віталій Крутько!
PR#192: Fixed: Variable name typo in the Dialog User Interface plugin which caused
CKEDITOR.ui.dialog.radiovalidation to not work. Thanks to Florian Ludwig!
#13232: [Safari] Fixed: The
element.appendText()method does not work properly for empty elements.
#13233: Fixed: HTMLDataProcessor can process
#12796: Fixed: The Indent List plugin unwraps parent
<li>elements. Thanks to Andrew Stucki!
#12885: Added missing
- #11982: Fixed: Bullet added in a wrong position after the Enter key is pressed in a nested list.
- #13027: Fixed: Keyboard navigation in dialog windows with multiple tabs not following IBM CI 162 instructions orARIA Authoring Practices.
- #12256: Fixed: Basic styles classes are lost when pasting from Microsoft Word if basic styles were configured to use classes.
- #12729: Fixed: Incorrect structure created when merging a block into a list item on Backspace and Delete.
- #13031: [Firefox] Fixed: No more line breaks in source view since Firefox 36.
- #13131: Fixed: The Code Snippet plugin cannot be used without the IFrame Editing Area plugin.
#9086: Fixed: Invalid ARIA property used on paste area
- #13164: Fixed: Error when inserting a hidden field.
#13155: Fixed: Incorrect Line Utilities positioning when
<body>has a margin.
- #13351: Fixed: Link lost when editing a linked image with the Link tab disabled. This also fixed a bug when inserting an image into a fully selected link would throw an error (#12847).
- #13344: [WebKit/Blink] Fixed: It is possible to remove or change editor content in read-only mode.
#12844 and #13103: Upgraded the testing environment to Bender.js
#12930: Because of licensing issues,
truncated-mathjax/is now removed from the
bender.config.mathJaxLibPathmust be configured manually in order to run Mathematical Formulas plugin tests.
- #13266: Added more shades of gray in the Color Dialog window. Thanks to mizafish!