CKEditor 4.5.11

Security Updates:

• [Severity: minor] Fixed the target="_blank" vulnerability reported by James Gaskell.

  Issue summary: If a victim had access to a spoofed version of ckeditor.com via HTTP (e.g. due to DNS spoofing, using a hacked public network or mailicious hotspot), then when using a link to the ckeditor.com website it was possible for the attacker to change the current URL of the opening page, even if the opening page was protected with SSL.

  An upgrade is recommended.

New Features:

• #14747: The Enhanced Image caption now supports the link target attribute.
• #7154: Added support for the "Display Text" field to the Link dialog. Thanks to Ryan Guill!

Fixed Issues:

• #13362: [Blink, WebKit] Fixed: Active widget element is not cached when it is losing focus and it is inside an editable element.
• #13755: [Edge] Fixed: Pasting images does not work.
• #13548: [IE] Fixed: Clicking the elements path disables Cut and Copy icons.
• #13812: Fixed: When aborting file upload the placeholder for image is left.
• #14659: [Blink] Fixed: Content scrolled to the top after closing the dialog in a <div>-based editor.
• #14825: [Edge] Fixed: Focusing the editor causes unwanted scrolling due to dropped support for the setActive() method.

CKEditor 4.5.10

Fixed Issues:

• #10750: Fixed: The editor does not escape the font-style family property correctly, removing quotes and whitespace from font names.
• #14413: Fixed: The Auto Grow plugin with the config.autoGrow_onStartup option set to true does not work properly for an editor that is not visible.
• #14451: Fixed: Numeric element ID not escaped properly. Thanks to Jakub Chalupa!
• #14590: Fixed: Additional line break appearing after inline elements when switching modes. Thanks to dpidcock!
• #14539: Fixed: JAWS reads "selected Blank" instead of "selected <widget name>" when selecting a widget.
• #14701: Fixed: More precise labels for Enhanced Image and Placeholder widgets.
• #14667: [IE] Fixed: Removing background color from selected text removes background color from the whole paragraph.
• #14252: [IE] Fixed: Styles drop-down list does not always reflect the current style of the text line.
• #14275: [IE9+] Fixed: onerror and onload events are not used in browsers it could have been used when loading scripts dynamically.

CKEditor 4.5.9

Fixed Issues:

• #10685: Fixed: Unreadable toolbar icons after updating to the new editor version. Fixed with 6876179 in ckeditor4 and 6c9189f4 in ckeditor4-presets.
• #14573: Fixed: Missing Widget drag handler CSS when there are multiple editor instances.
• #14620: Fixed: Setting both the min-height style for the <body> element and the height style for the <html> element breaks the Auto Grow plugin.
• #14538: Fixed: Keyboard focus goes into an embedded <iframe> element.
• #14602: Fixed: The dom.element.removeAttribute() method does not remove all attributes if no parameter is given.
• #8679: Fixed: Better focus indication and ability to style the selected color in the color picker dialog.
• #11697: Fixed: Content is replaced ignoring the letter case setting in the Find and Replace dialog window.
• #13886: Fixed: Invalid handling of the CKEDITOR.style instance with the styles property by CKEDITOR.filter.
• #14535: Fixed: CSS syntax corrections. Thanks to mdjdenormandie!

CKEditor 4.5.8

New Features:

• #12440: Added the config.colorButton_enableAutomatic option to allow hiding the "Automatic" option in the color picker.

Fixed Issues:

• #10448: Fixed: Lack of scrollbar in the right-to-left text direction.
• #12707: Fixed: The order of table elements does not comply with the HTML specification.
• #13756: [Edge] Fixed: Context menus are cut-off.

CKEditor 4.5.7

New Features:

• #14327: Added Swiss German localization. Thanks to Miro Grenda!

Fixed Issues:

• #13816: Introduced a new strategy for Filling Character handling to avoid changes in DOM. This fixes the following issues:
  • #12727: [Blink] IndexSizeError when using the Div Editing Area and Content Templates plugins.
  • #13377: Widget plugin issue when typing in Korean.
  • #13389: [Blink] editor.getData() fails when the cursor is next to an <hr> tag.
  • #13513: [Blink, WebKit] Div Editing Area and editor.getData() throw an error when an image is the only data in the editor.
• #13884: [Firefox] Fixed: Copying and pasting a table results in just the first cell being pasted.
• #14234: Fixed: URL input field is not marked as required in the Media Embed dialog.

CKEditor 4.5.6

New Features:

• Introduced the CKEDITOR.tools.getCookie() and CKEDITOR.tools.setCookie() methods for accessing cookies.
• Introduced the CKEDITOR.tools.getCsrfToken() method. The CSRF token is now automatically sent by the File Browser and File Tools plugins during file uploads. The server-side upload handlers may check it and use it to additionally secure the communication.

Other Changes:

• Updated SCAYT (Spell Check As You Type):
  • New features:
    • CKEditor Language plugin support.
    • CKEditor Placeholder plugin support.
    • Drag&Drop support.
    • Experimental GRAYT (Grammar As You Type) functionality.
  • Fixed issues:
    • #98: SCAYT affects dialog double-click. Fixed in SCAYT core.
    • #102: SCAYT core performance enhancements.
    • #104: SCAYT's spans leak into the clipboard and after pasting.
    • #105: A JavaScript error fired in case of multiple instances of CKEditor on one page.
    • #107: SCAYT should not check non-editable parts of content.
    • #108: Latest SCAYT copies the ID of the editor element to the iframe.
    • SCAYT stops working when CKEditor Undo plugin not enabled.
    • Issue with pasting SCAYT markup in CKEditor.
    • SCAYT stops working after pressing the Cancel button in the WSC dialog.