Security Updates:

• Fixed XSS vulnerability in the HTML parser reported by Dheeraj Joshi and Prem Kumar.

  Issue summary: It was possible to execute XSS inside CKEditor after persuading the victim to: (i) switch CKEditor to source mode, then (ii) paste a specially crafted HTML code, prepared by the attacker, into the opened CKEditor source area, and (iii) switch back to WYSIWYG mode.

An upgrade is highly recommended!

Fixed Issues:

• #12899: Fixed: Corrected wrong tag ending for horizontal box definition in the Dialog User Interface plugin. Thanks to mizafish!
• #13254: Fixed: Cannot outdent block after indent when using the Div Editing Area plugin. Thanks to Jonathan Cottrill!
• #13268: Fixed: Documentation for CKEDITOR.dom.text is incorrect. Thanks to Ben Kiefer!
• #12739: Fixed: Link loses inline styles when edited without the Advanced Tab for Dialogs plugin. Thanks to Віталій Крутько!
• #13292: Fixed: Protection pattern does not work in attribute in self-closing elements with no space before />. Thanks to Віталій Крутько!
• PR#192: Fixed: Variable name typo in the Dialog User Interface plugin which caused CKEDITOR.ui.dialog.radiovalidation to not work. Thanks to Florian Ludwig!
• #13232: [Safari] Fixed: The element.appendText() method does not work properly for empty elements.
• #13233: Fixed: HTMLDataProcessor can process foo:href attributes.
• #12796: Fixed: The Indent List plugin unwraps parent <li> elements. Thanks to Andrew Stucki!
• #12885: Added missing editor.getData() parameter documentation.
• #11982: Fixed: Bullet added in a wrong position after the Enter key is pressed in a nested list.
• #13027: Fixed: Keyboard navigation in dialog windows with multiple tabs not following IBM CI 162 instructions orARIA Authoring Practices.
• #12256: Fixed: Basic styles classes are lost when pasting from Microsoft Word if basic styles were configured to use classes.
• #12729: Fixed: Incorrect structure created when merging a block into a list item on Backspace and Delete.
• #13031: [Firefox] Fixed: No more line breaks in source view since Firefox 36.
• #13131: Fixed: The Code Snippet plugin cannot be used without the IFrame Editing Area plugin.
• #9086: Fixed: Invalid ARIA property used on paste area <iframe>.
• #13164: Fixed: Error when inserting a hidden field.
• #13155: Fixed: Incorrect Line Utilities positioning when <body> has a margin.
• #13351: Fixed: Link lost when editing a linked image with the Link tab disabled. This also fixed a bug when inserting an image into a fully selected link would throw an error (#12847).
• #13344: [WebKit/Blink] Fixed: It is possible to remove or change editor content in read-only mode.

Other Changes:

• #12844 and #13103: Upgraded the testing environment to Bender.js 0.2.3.
• #12930: Because of licensing issues, truncated-mathjax/ is now removed from the tests/ directory. Nowbender.config.mathJaxLibPath must be configured manually in order to run Mathematical Formulas plugin tests.
• #13266: Added more shades of gray in the Color Dialog window. Thanks to mizafish!