ckeditor-dev - npm Package Versions

CKEditor 4.5.11

Security Updates:

• [Severity: minor] Fixed the target="_blank" vulnerability reported by James Gaskell.

  Issue summary: If a victim had access to a spoofed version of ckeditor.com via HTTP (e.g. due to DNS spoofing, using a hacked public network or mailicious hotspot), then when using a link to the ckeditor.com website it was possible for the attacker to change the current URL of the opening page, even if the opening page was protected with SSL.

  An upgrade is recommended.

New Features:

• #14747: The Enhanced Image caption now supports the link target attribute.
• #7154: Added support for the "Display Text" field to the Link dialog. Thanks to Ryan Guill!

Fixed Issues:

• #13362: [Blink, WebKit] Fixed: Active widget element is not cached when it is losing focus and it is inside an editable element.
• #13755: [Edge] Fixed: Pasting images does not work.
• #13548: [IE] Fixed: Clicking the elements path disables Cut and Copy icons.
• #13812: Fixed: When aborting file upload the placeholder for image is left.
• #14659: [Blink] Fixed: Content scrolled to the top after closing the dialog in a <div>-based editor.
• #14825: [Edge] Fixed: Focusing the editor causes unwanted scrolling due to dropped support for the setActive() method.

CKEditor 4.5.10

Fixed Issues:

• #10750: Fixed: The editor does not escape the font-style family property correctly, removing quotes and whitespace from font names.
• #14413: Fixed: The Auto Grow plugin with the config.autoGrow_onStartup option set to true does not work properly for an editor that is not visible.
• #14451: Fixed: Numeric element ID not escaped properly. Thanks to Jakub Chalupa!
• #14590: Fixed: Additional line break appearing after inline elements when switching modes. Thanks to dpidcock!
• #14539: Fixed: JAWS reads "selected Blank" instead of "selected <widget name>" when selecting a widget.
• #14701: Fixed: More precise labels for Enhanced Image and Placeholder widgets.
• #14667: [IE] Fixed: Removing background color from selected text removes background color from the whole paragraph.
• #14252: [IE] Fixed: Styles drop-down list does not always reflect the current style of the text line.
• #14275: [IE9+] Fixed: onerror and onload events are not used in browsers it could have been used when loading scripts dynamically.

CKEditor 4.5.9

Fixed Issues:

• #10685: Fixed: Unreadable toolbar icons after updating to the new editor version. Fixed with 6876179 in ckeditor4 and 6c9189f4 in ckeditor4-presets.
• #14573: Fixed: Missing Widget drag handler CSS when there are multiple editor instances.
• #14620: Fixed: Setting both the min-height style for the <body> element and the height style for the <html> element breaks the Auto Grow plugin.
• #14538: Fixed: Keyboard focus goes into an embedded <iframe> element.
• #14602: Fixed: The dom.element.removeAttribute() method does not remove all attributes if no parameter is given.
• #8679: Fixed: Better focus indication and ability to style the selected color in the color picker dialog.
• #11697: Fixed: Content is replaced ignoring the letter case setting in the Find and Replace dialog window.
• #13886: Fixed: Invalid handling of the CKEDITOR.style instance with the styles property by CKEDITOR.filter.
• #14535: Fixed: CSS syntax corrections. Thanks to mdjdenormandie!

CKEditor 4.5.8

New Features:

• #12440: Added the config.colorButton_enableAutomatic option to allow hiding the "Automatic" option in the color picker.

Fixed Issues:

• #10448: Fixed: Lack of scrollbar in the right-to-left text direction.
• #12707: Fixed: The order of table elements does not comply with the HTML specification.
• #13756: [Edge] Fixed: Context menus are cut-off.

CKEditor 4.5.7

New Features:

• #14327: Added Swiss German localization. Thanks to Miro Grenda!

Fixed Issues:

• #13816: Introduced a new strategy for Filling Character handling to avoid changes in DOM. This fixes the following issues:
  • #12727: [Blink] IndexSizeError when using the Div Editing Area and Content Templates plugins.
  • #13377: Widget plugin issue when typing in Korean.
  • #13389: [Blink] editor.getData() fails when the cursor is next to an <hr> tag.
  • #13513: [Blink, WebKit] Div Editing Area and editor.getData() throw an error when an image is the only data in the editor.
• #13884: [Firefox] Fixed: Copying and pasting a table results in just the first cell being pasted.
• #14234: Fixed: URL input field is not marked as required in the Media Embed dialog.

CKEditor 4.5.6

New Features:

• Introduced the CKEDITOR.tools.getCookie() and CKEDITOR.tools.setCookie() methods for accessing cookies.
• Introduced the CKEDITOR.tools.getCsrfToken() method. The CSRF token is now automatically sent by the File Browser and File Tools plugins during file uploads. The server-side upload handlers may check it and use it to additionally secure the communication.

Other Changes:

• Updated SCAYT (Spell Check As You Type):
  • New features:
    • CKEditor Language plugin support.
    • CKEditor Placeholder plugin support.
    • Drag&Drop support.
    • Experimental GRAYT (Grammar As You Type) functionality.
  • Fixed issues:
    • #98: SCAYT affects dialog double-click. Fixed in SCAYT core.
    • #102: SCAYT core performance enhancements.
    • #104: SCAYT's spans leak into the clipboard and after pasting.
    • #105: A JavaScript error fired in case of multiple instances of CKEditor on one page.
    • #107: SCAYT should not check non-editable parts of content.
    • #108: Latest SCAYT copies the ID of the editor element to the iframe.
    • SCAYT stops working when CKEditor Undo plugin not enabled.
    • Issue with pasting SCAYT markup in CKEditor.
    • SCAYT stops working after pressing the Cancel button in the WSC dialog.

CKEditor 4.4.8

Security Updates:

• Fixed XSS vulnerability in the HTML parser reported by Dheeraj Joshi and Prem Kumar.

  Issue summary: It was possible to execute XSS inside CKEditor after persuading the victim to: (i) switch CKEditor to source mode, then (ii) paste a specially crafted HTML code, prepared by the attacker, into the opened CKEditor source area, and (iii) switch back to WYSIWYG mode.

An upgrade is highly recommended!

Fixed Issues:

• #12899: Fixed: Corrected wrong tag ending for horizontal box definition in the Dialog User Interface plugin. Thanks to mizafish!
• #13254: Fixed: Cannot outdent block after indent when using the Div Editing Area plugin. Thanks to Jonathan Cottrill!
• #13268: Fixed: Documentation for CKEDITOR.dom.text is incorrect. Thanks to Ben Kiefer!
• #12739: Fixed: Link loses inline styles when edited without the Advanced Tab for Dialogs plugin. Thanks to Віталій Крутько!
• #13292: Fixed: Protection pattern does not work in attribute in self-closing elements with no space before />. Thanks to Віталій Крутько!
• PR#192: Fixed: Variable name typo in the Dialog User Interface plugin which caused CKEDITOR.ui.dialog.radio validation to not work. Thanks to Florian Ludwig!
• #13232: [Safari] Fixed: The element.appendText() method does not work properly for empty elements.
• #13233: Fixed: HTMLDataProcessor can process foo:href attributes.
• #12796: Fixed: The Indent List plugin unwraps parent <li> elements. Thanks to Andrew Stucki!
• #12885: Added missing editor.getData() parameter documentation.
• #11982: Fixed: Bullet added in a wrong position after the Enter key is pressed in a nested list.
• #13027: Fixed: Keyboard navigation in dialog windows with multiple tabs not following IBM CI 162 instructions or ARIA Authoring Practices.
• #12256: Fixed: Basic styles classes are lost when pasting from Microsoft Word if basic styles were configured to use classes.
• #12729: Fixed: Incorrect structure created when merging a block into a list item on Backspace and Delete.
• #13031: [Firefox] Fixed: No more line breaks in source view since Firefox 36.
• #13131: Fixed: The Code Snippet plugin cannot be used without the IFrame Editing Area plugin.
• #9086: Fixed: Invalid ARIA property used on paste area <iframe>.
• #13164: Fixed: Error when inserting a hidden field.
• #13155: Fixed: Incorrect Line Utilities positioning when <body> has a margin.
• #13351: Fixed: Link lost when editing a linked image with the Link tab disabled. This also fixed a bug when inserting an image into a fully selected link would throw an error (#12847).
• #13344: [WebKit/Blink] Fixed: It is possible to remove or change editor content in read-only mode.

Other Changes:

• #12844 and #13103: Upgraded the testing environment to Bender.js 0.2.3.
• #12930: Because of licensing issues, truncated-mathjax/ is now removed from the tests/ directory. Now bender.config.mathJaxLibPath must be configured manually in order to run Mathematical Formulas plugin tests.
• #13266: Added more shades of gray in the Color Dialog window. Thanks to mizafish!