ckeditor4 - npm Package Versions

CKEditor 4.19.1

Fixed Issues:

• #5125: Fixed: Deleting a widget with disabled autoParagraph by the keyboard backspace key removes the editor editable area and crashes the editor.
• #5135: Fixed: The checkbox.setValue and radio.setValue methods are not chainable as stated in the documentation. Thanks to Jordan Bradford!
• #5085: Fixed: The Language plugin removes the element marking the text in foreign language if said element does not have an information about the text direction.
• #4284: Fixed: Tableselection Merging cells with a rowspan throws an unexpected error and does not create an undo step.
• #5184: Fixed: The Editor Placeholder plugin degrades typing performance.
• #5158: Fixed: CKEDITOR.tools#convertToPx() gives invalid results if the helper calculator element was deleted from the DOM.
• #5234: Fixed: Easy Image doesn't allow to upload images files using toolbar button.
• #438: Fixed: It is impossible to navigate to the elementspath from the toolbar by keyboard and vice versa.
• #4449: Fixed: dialog.validate#functions incorrectly composes functions that return an optional error message, like e.g. dialog.validate.number due to unnecessary return type coercion.
• #4473: Fixed: The dialog.validate method does not accept parameter value. The issue originated in dialog.validate.functions method that did not properly propagate parameter value to validator. Affected validators:
  • functions
  • equals
  • notEqual
  • cssLength
  • htmlLength
  • inlineStyle
• #5147: Fixed: The Accessibility Help dialog does not contain info about focus being moved back to the editing area upon leaving dialogs.
• #5144: Fixed: Menu buttons and panel buttons incorrectly indicate the open status of their associated pop-up menus in the browser's accessibility tree.
• #5022: Fixed: Find and Replace does not respond to the Enter key.

API changes:

• #5184: Added the config.editorplaceholder_delay configuration option allowing to delay placeholder before it is toggled when changing editor content.
• #5184: Added the CKEDITOR.tools#debounce() function allowing to postpone a passed function execution until the given milliseconds have elapsed since the last time it was invoked.

CKEditor 4.19.0

New features:

• #2444: Togglable toolbar buttons are now exposed as toggle buttons in the browser's accessibility tree.
• #4641: Added an option allowing to cancel the Delayed Editor Creation feature as a function handle for editor creators (CKEDITOR.replace, CKEDITOR.inline, CKEDITOR.appendTo).
• #4986: Added config.shiftLineBreaks allowing to preserve inline elements formatting when the shift+enter keystroke is used.
• #2445: Added config.applicationTitle configuration option allowing to customize or disable the editor's application region label. This option, combined with config.title, gives much better control over the editor's labels read by screen readers.

Fixed Issues:

• #4543: Fixed: Toolbar buttons toggle state is not correctly announced by screen readers lacking the information whether the feature is on or off.
• #4052: Fixed: Editor labels are read incorrectly by screen readers due to invalid editor control type for the Iframe Editing Area editors.
• #1904: Fixed: Screen readers are not announcing the read-only editor state.
• #4904: Fixed: Table cell selection and navigation with the tab key behavior is inconsistent after adding a new row.
• #3394: Fixed: Enhanced image plugin dialog is not supporting URL with query string parameters. Thanks to Simon Urli!
• #5049: Fixed: The editor fails in strict mode due to not following the use strict directives in a core editor module.
• #5095: Fixed: The clipboard plugin shows notification about unsupported file format when the file type is different than jpg, gif, png, not respecting supported types by the Upload Widget plugin.
• #4855: [iOS] Fixed: Focusing toolbar buttons with an enabled VoiceOver screen reader moves the browser focus into an editable area and interrupts button functionality.

API changes:

• #4641: The CKEDITOR.replace, CKEDITOR.inline, CKEDITOR.appendTo functions are now returning a handle function allowing to cancel the Delayed Editor Creation feature.
• #5095: Added the CKEDITOR.plugins.clipboard.addFileMatcher function allowing to define file formats supported by the clipboard plugin. Trying to paste unsupported files will result in a notification that a file cannot be dropped or pasted into the editor.
• #2445: Added config.applicationTitle alongside CKEDITOR.editor#applicationTitle to allow customizing editor's application region label.

CKEditor 4.18.0

Security Updates:

• Fixed an XSS vulnerability in the core module reported by GitHub Security Lab team member Kevin Backhouse.

  Issue summary: The vulnerability allowed to inject malformed HTML bypassing content sanitization, which could result in executing a JavaScript code. See CVE-2022-24728 for more details.

• Fixed a Regular expression Denial of Service (ReDoS) vulnerability in dialog plugin discovered by the CKEditor 4 team during our regular security audit.

  Issue summary: The vulnerability allowed to abuse a dialog input validator regular expression, which could cause a significant performance drop resulting in a browser tab freeze. See CVE-2022-24729 for more details.

You can read more details in the relevant security advisory and contact us if you have more questions.

An upgrade is highly recommended!

Highlights:

Web Spell Checker ended support for WebSpellChecker Dialog on December 31st, 2021. This means the plugin is not supported any longer. Therefore, we decided to deprecate and remove the WebSpellChecker Dialog plugin from CKEditor 4 presets.

We strongly encourage everyone to choose one of the other available spellchecking solutions - Spell Check As You Type (SCAYT) or WProofreader.

Fixed issues:

• #5097: [Chrome] Fixed: Incorrect conversion of points to pixels while using CKEDITOR.tools.convertToPx().
• #5044: Fixed: select elements with multiple attribute had incorrect styling. Thanks to John R. D'Orazio!

Other changes:

• #5093: Deprecated and removed WebSpellChecker Dialog from presets.
• #5127: Deprecated the CKEDITOR.rnd property to discourage using it in a security-sensitive context.
• #5087: Improved the jQuery adapter by replacing a deprecated jQuery API with existing counterparts. Thanks to Fran Boon!
• #5128: Improved the Emoji definitions encoding set by the config.emoji_emojiListUrl configuration option.

CKEditor 4.17.2

Fixed issues:

• #4934: Fixed: Active focus in dialog tabs is not visible in the High Contrast mode.
• #547: Fixed: Dragging and dropping elements like images within a table is no longer available.
• #4875: Fixed: It is not possible to delete multiple selected lists.
• #4873: Fixed: Pasting content from MS Word and Outlook with horizontal lines prevents images from being uploaded.
• #4952: Fixed: Dragging and dropping images within a table cell appends additional elements.
• #4761: Fixed: Some CSS files are missing unique timestamp used to prevent browser to cache static resources between editor releases.
• #4987: Fixed: Find/Replace is not recognizing more than one space character.
• #5061: Fixed: Find/Replace plugin incorrectly handles multiple whitespace during replacing text.
• #5004: Fixed: MutationObserver used in IFrame Editing Area plugin causes memory leaks.
• #4994: Fixed: Easy Image plugin caused content pasted from Word to turn into an image.

API changes:

• #4918: Explicitly set the config.useComputedState default value to true. Thanks to Shabab Karim!
• #4761: The CKEDITOR.appendTimestamp() function was added.
• #4761: CKEDITOR.dom.document#appendStyleSheet() and CKEDITOR.tools.buildStyleHtml() now use the newly added CKEDITOR.appendTimestamp() function to correctly handle caching of CSS files.

Other changes:

• #5014: Fixed: Toolbar configurator fails when plugin does not define a toolbar group. Thanks to SuperPat!

CKEditor 4.17.1

Highlights:

Due to a regression in CKEeditor 4.17.0 version that was only revealed after the release and affected a limited area of operation, CSS assets loaded via relative links started to point into invalid location when loaded from external resources.

We have therefore decided to immediately release CKEditor 4.17.1 that fixed this problem. If you have already upgraded to v4.17.0, make sure to upgrade to v4.17.1 to avoid this regression.

Fixed issues:

• #4979: Fixed: Added cache key in #4761 started to breaking relative links for external CSS resources. The fix has been reverted and will be corrected in the next editor version.

CKEditor 4.16.2

Security Updates:

• Fixed XSS vulnerability in the Clipboard plugin reported by Anton Subbotin.

  Issue summary: The vulnerability allowed to abuse paste functionality using malformed HTML, which could result in injecting arbitrary HTML into the editor. See CVE-2021-32809 for more details.

• Fixed XSS vulnerability in the Widget plugin reported by Anton Subbotin.

  Issue summary: The vulnerability allowed to abuse undo functionality using malformed Widget HTML, which could result in executing JavaScript code. See CVE-2021-32808 for more details.

• Fixed XSS vulnerability in the Fake Objects plugin reported by Mika Kulmala.

  Issue summary: The vulnerability allowed to inject malformed Fake Objects HTML, which could result in executing JavaScript code. See CVE-2021-37695 for more details.

You can read more details in the relevant security advisory and contact us if you have more questions.

An upgrade is highly recommended!

Fixed Issues:

• #4777: Fixed: HTML comments in widgets not processed correctly.
• #4733: Fixed: Link prevent duplicate anchors in text with styles.
  • #4728: Fixed: Multiple anchors in one line and multi-line with text style.
  • #3863: Fixed: Multiple anchors in single word with text style.
• #3819: [Chrome] Fixed: After removing one of the two consecutive spaces, the   character appears in the editor instead of a space.
• #4666: [IE] Introduce CSS.escape polyfill. Thanks to limingli0707!
  • #681: Fixed: Table elements (td, tr, th, ..) with an id that starts with dot (.) causes javascript runtime err.
  • #641: Fixed: UploadImage Plugin Widgets not working in IE, Opera, Safari, PhantomJS.
• #3638: Fixed: Opening the same dialog twice causes it to become hidden under the dialog's page cover.
• #4247: Fixed: Color Button's incorrect rendering on the first opening.
• #4555: Fixed: Font styles with attributes are not applied correctly when used multiple times over the same selection.
• #4782: [Firefox] Fixed: TypeError is thrown when switching to Source View and back while Autocomplete plugin is enabled.

CKEditor 4.16.1

Fixed Issues:

• #4617: Fixed: Autocomplete is not accessible in inline editors.
• #4493: Fixed: The drop-down label does not reflect the current value of the drop-down.
• #1572: Fixed: A paragraph before or after a widget cannot be removed. Thanks to bunglegrind!
• #4301: Fixed: Pasted content is overwritten when pasted in an initially empty editor with the div Enter mode.
• #4351: Fixed: Incorrect values for RGBA/HSLA colors in Color Dialog.
• #4509: Fixed: Incorrect handling of drag & drop inside widgets and nested editables.
• #4611: [Android, iOS] Fixed: Incorrect hover styles for buttons in the toolbar on mobile devices.
• #4652: Fixed: Event data set to false is treated as an event cancellation.
• #4659: Fixed: CKEDITOR.htmlParser does not treat --!> as a comment end tag correctly.

CKEditor 4.15.1

Security Updates:

• Fixed XSS vulnerability in the Color History feature reported by Mark Wade.

  Issue summary: It was possible to execute an XSS-type attack inside CKEditor 4 by persuading a victim to paste a specially crafted HTML code into the Color Button dialog.

An upgrade is highly recommended!

Fixed Issues:

• #4293: Fixed: The CKEDITOR.inlineAll() method tries to initialize inline editor also on elements with an editor already attached to them.
• #3961: Fixed: The Table Resize plugin prevents editing of merged cells.
• #3649: Fixed: Applying a block format should remove existing block styles.
• #4282: Fixed: The script loader does not execute callback for scripts already loaded when called for the second time. Thanks to Alexander Korotkevich!
• #4273: Fixed: A memory leak in the CKEDITOR.domReady() method connected with not removing load event listeners. Thanks to rohit1!
• #1330: Fixed: Incomplete CSS margin parsing if an auto or 0 value is used.
• #4286: Fixed: The Auto Grow plugin causes the editor width to be set to 0 on editor resize.
• #848: Fixed: Arabic text not being "bound" correctly when pasting. Thanks to Thomas Hunkapiller and J. Ivan Duarte Rodríguez!

API Changes:

• #3649: Added a new stylesRemove editor event.

Other Changes:

• #4262: Removed the global reference to the stylesLoaded variable. Thanks to Levi Carter!
• Updated the Export to PDF plugin to 1.0.1 version:
  • Improved external CSS support for classic editor by handling exceptions and displaying convenient error messages.