CKEditor 5 changelog

This is the CKEditor 5 changelog guide. Here you will find information about the most important changes introduced in the release, new features, and bug fixes.

Information about both major and minor breaking changes is available, too, if the release introduces them. You can read more about breaking changes in CKEditor 5 in the Versioning policy guide.

You can find more information about each release in the blog posts linked at the start of each entry.

This guide provides the changelog information for the 3 latest releases of CKEditor 5. For older releases, refer to the release notes on GitHub.

# CKEditor 5 43.2.0 release

We are happy to announce the release of CKEditor 5 v43.2.0.

# Release highlights

# Notable improvements

• Operational Transformation Stability: Significant changes have been made to the OT system, enhancing the undo functionality and real-time collaboration, especially in conflict resolution scenarios. These improvements ensure smoother editor operations during complex interactions.
• Performance Improvements: We have merged several community-driven performance enhancements (thanks @sunesimonsen), that optimize the editor’s core engine. While no changes to the editor’s logic were made, these updates improve overall efficiency and responsiveness.

# More imports available via ckeditor5 and ckeditor5-premium-features indexes

As users transition to new installation methods (v42.0.0+) with ckeditor5 and ckeditor5-premium-features as the main packages, we are continuously addressing missing imports for less common classes, functions, types, and utilities, broadening their availability. Since our TypeScript rewrite (v37.0.0), imports can now be made directly through the package indexes, simplifying integration. As many users historically imported from src, we encourage you to try the new version and report any missing imports. In the future, we are considering removing src from published packages to reduce package size, so the more feedback we receive, the better and more stable API we will provide.

# Features

• engine: Added the usePassive option to DomEventObserver that enables listening to passive events. Closes #16412. (commit)
• media-embed: It is now possible to embed YouTube shorts. Closes #17090. (commit)
• ui: Updated the “Powered by” link. (commit)

# Bug fixes

• ckbox: Editing inline images using CKBox no longer changes and reinserts them simultaneously. Closes #17056. (commit)
• engine: Fixed incorrect marker handling in some scenarios involving undo and real-time collaboration, which earlier led to a model-nodelist-offset-out-of-bounds error. See #9296. (commit)
• engine: Fixed incorrect handling of merge changes during undo in some scenarios involving real-time collaboration, which earlier led to a model-nodelist-offset-out-of-bounds error. See #9296. (commit)
• engine: Fixed conflict resolution error, which led to editor crash in some scenarios where two users removed larger intersecting part of the content and used undo. See #9296. (commit)
• engine: Fixed incorrect undo behavior leading to an editor crash when a user pressed Enter key multiple times, then pressed backspace that many times, then undid all the changes. Closes #9296. (commit)
• theme-lark: Increased the specificity of the dropdown menu panel styles to address issues with incorrect z-index ordering. (commit)
• ui: Fixed scrolling in dropdowns when a block toolbar button is active. Closes #17067. (commit)
• ui: Increased the specificity of the dropdown menu panel styles to address issues with incorrect z-index ordering. (commit)

# Other changes

• basic-styles: Exported the AttributeCommand class. Closes #17105. (commit)
• ckeditor5-premium-features: Marked the ckeditor5 package as peerDependencies.
• engine: Performance improvements. Avoided creating unnecessary arrays. Closes #17143. (commit)
• Exported several classes and utilities from various packages (commit).

# CKEditor 5 43.1.1 release

We are happy to announce the release of CKEditor 5 v43.1.1.

During a recent internal audit, we identified a Cross-Site Scripting (XSS) vulnerability in the CKEditor 5 clipboard package (CVE-2024-45613). This vulnerability could be triggered by a specific user action, leading to unauthorized JavaScript code execution, if the attacker managed to insert malicious content into the editor, which might happen with a very specific editor configuration.

This vulnerability affects only installations where the editor configuration meets the following criteria:

1. The Block Toolbar plugin is enabled.
2. One of the following plugins is also enabled:
   • General HTML Support with a configuration that permits unsafe markup.
   • HTML Embed.

You can read more details in the relevant security advisory and contact us if you have more questions.

Taking the occasion, we decided to introduce additional hardening to some parts of our codebase that introduce theoretical and unexploitable issues. Our security team confirmed that none of these issues were exploitable in a real scenario, however, we decided to fix them, in order to increase the overall security posture of our software.

# CKEditor 5 43.1.0 release

We are happy to announce the release of CKEditor 5 v43.1.0.

# Release highlights

This release includes important bug fixes and enhancements for the editor:

• Block merge fields: In contrast to regular, inline merge fields, the block merge fields are designed to represent complex, block-level structures, such as a dynamically generated table, a row of products, or a personalized call-to-action segment. Block merge fields are supposed to be replaced by arbitrary HTML data when the document template is post-processed or exported to a PDF or Word file.

• Nested dropdown menus: this release introduces a new UI component: nested dropdown menus. They can be used by feature developers to easily provide an advanced user interface where UI elements are organized into a nested menu structure.

• Customizable accessible label: You can now configure the label for the accessible editable area through the editor settings, ensuring it fits your system’s needs.

• Improved table and cell border controls: It is now easier to manage both table and cell borders. The table user interface now clearly indicates the default border settings, allowing you to set “no borders” (None) for tables and cells without any additional configuration.

  ⚠️ In some cases this update may lead to data changes in the tables’ HTML markup when the editor loads them. However, visually nothing will change, and the experience will be the same.

The full list of enhancements can be found below.

# MINOR BREAKING CHANGES

• Reverted config.sanitizeHtml. In v43.0.0 we made a decision to move config.htmlEmbed.sanitizeHtml to a top-level property config.sanitizeHtml. However, we realized that it was a wrong decision to expose such a sensitive property in a top-level configuration property. Starting with v43.1.0 you should again use config.htmlEmbed.sanitizeHtml and/or config.mergeFields.sanitizeHtml. The editor will throw an error if config.sanitizeHtml is used. See the migration guide for additional context behind this decision.
• ai: The structure and presentation of the list of AI commands in the toolbar have changed (a flat filtered list is now a nested menu). Additionally, if your integration customizes this user interface, please ensure your integration code is up-to-date.
• ui: The default [aria-label] provided by InlineEditableUIView is now 'Rich Text Editor. Editing area: [root name]' (previously: 'Editor editing area: [root name]'). You can use the options.label constructor property to adjust the label.

# Features

• comments: Added [data-author-id] to suggestion and comment markers in editing for easier integration and styling.
• media-embed: Added support for new Twitter domain (x.com) and Instagram Reels. Closes #16435. (commit)
• merge-fields: Introduced block merge fields. They are a new type of merge fields which are treated as block content in the editor editing area.
• track-changes: Added [data-author-id] to suggestion and comment markers in editing for easier integration and styling.
• ui: Introduced nested menu component for dropdowns. Closes #6399. (commit)
• ui: Added support for the balloon toolbar in the multi-root editor. Closes #14803. (commit)
• Allowed to configure the accessible editable area label via the config.label property. Closes #15208, #11863, #9731. (commit)

# Bug fixes

• cloud-services: The refreshing mechanism (from the Token class) should retry after a failure to limit the chance of the user getting disconnected and data loss in real-time collaboration. (commit)
• comments: The TrackChangesData#getDataWithAcceptedSuggestions() method will no longer throw errors when there are suggestions containing multi-range comments in tables.
• document-outline: Editor no longer crashes during initialization when the TableOfContents and ImageBlock plugins are enabled. Closes ckeditor/ckeditor5#16915.
• editor-classic: The widget toolbar no longer covers editor’s sticky toolbar when scrolling. Closes #15744. (commit)
• editor-multi-root: The selection is no longer lost while clicking an editable containing only one block element. Closes #16806. (commit)
• engine: Prevent from editor crashes when trying to style a long paragraph. Closes #16819. (commit)
• html-support: The <hgroup> and <summary> elements should work with the source editing feature. Closes #16947. (commit)
• list: A to-do list should preserve the state of the checked items on the data load. Closes #15602. (commit)
• table: Changed default table and table cell properties to match the content styles. It fixes a problem with setting [border=none] on the table. Closes #6841. (commit)
• table: Larger tables are no longer truncated in print mode. Closes #16856. (commit)
• track-changes: The TrackChangesData#getDataWithAcceptedSuggestions() and TrackChangesData#getDataWithDiscardedSuggestions() methods will no longer throw errors when used in asynchronous load and save integration type.
• ui: Nested menus in the menu bar and dropdowns should not get their panels focused when the main button is clicked. Closes #16857. (commit)
• ui: Restored the ability to pin balloons to text nodes in the DOM tree. Closes #16958 #16889. (commit)
• ui: The focus outline should remain visible upon closing a menu bar using the Esc key during keyboard navigation. Closes #16719. (commit)
• ui: Balloon Editor toolbar no longer sticks out of the limiter element while scrolling. Closes #17002. (commit)

# Other changes

• ai: The AI Assistant pre-defined commands toolbar dropdown will now use a new nested menu component instead of the flat list component.
• comments: Moved Ctrl+Shift+E and Esc key handling code from individual features to the Annotations plugin to simplify the logic.
• core: Reverted recent change to move config.htmlEmbed.sanitizeHtml to a top-level config property (config.sanitizeHtml). config.sanitizeHtml is no longer available and using it will throw an error.
• html-embed: Reverted recent change to move config.htmlEmbed.sanitizeHtml to a top-level config property (config.sanitizeHtml). Starting from v43.1.0 config.htmlEmbed.sanitizeHtml is no longer deprecated.
• merge-fields: Introduced config.mergeFields.sanitizeHtml config property. Use it instead of config.sanitizeHtml. config.sanitizeHtml is no longer available and using it will throw an error.
• track-changes: Moved Ctrl+Shift+E and Esc key handling code from individual features to the Annotations plugin to simplify the logic.
• typing: The package exports now the TextTransformationConfig type. (commit)
• Updated translations. (commit)