Uploaded image for project: 'Sakai'
  1. Sakai
  2. SAK-43385

WebJars: Upgrade CKEDITOR from 4.13.1 to 4.14.0

    XMLWordPrintable

    Details

    • 20 status:
      Please Merge
    • Test Plan:
      Hide
      1. Open resources and create a new HTML file.
      2. Test the CKEditor in-depth, try to add rich content, attach images, attach sound recordings.
      3. Test the autosave plugin, it should save the content after 15 minutes of inactivity.
      4. Test the wordcount plugin, it should count the words and display them at the bottom side.
      Show
      Open resources and create a new HTML file. Test the CKEditor in-depth, try to add rich content, attach images, attach sound recordings. Test the autosave plugin, it should save the content after 15 minutes of inactivity. Test the wordcount plugin, it should count the words and display them at the bottom side.

      Description

      CKEDITOR 4.14.0 has been released.

      https://ckeditor.com/cke4/release/CKEditor-4.14.0

      It contains security fixes, I recommend upgrading 20.x too and even 19.x

       

      CKEditor 4.14.0

      Mar 04/2020
      Security Updates:

      • Fixed XSS vulnerability in the HTML data processor reported by Michał Bentkowski of Securitum.

      Issue summary: It was possible to execute XSS inside CKEditor after persuading the victim to: switch CKEditor to source mode, then (ii) paste a specially crafted HTML code, prepared by the attacker, into the opened CKEditor source area, and (iii) switch back to WYSIWYG mode or copy the specially crafted HTML code, prepared by the attacker and (ii) paste it into CKEditor in WYSIWYG mode.

      • Fixed XSS vulnerability in the WebSpellChecker plugin reported by Pham Van Khanh from Viettel Cyber Security.

      Issue summary: It was possible to execute XSS using CKEditor after persuading the victim to: switch CKEditor to source mode, then (ii) paste a specially crafted HTML code, prepared by the attacker, into the opened CKEditor source area, then (iii) switch back to WYSIWYG mode, and (iv) preview CKEditor content outside CKEditor editable area.

      An upgrade is highly recommended!

      New features:

      Fixed Issues:

      • #3587: [Edge, IE] Fixed: Widget with form input elements loses focus during typing.
      • #3705: [Safari] Fixed: Safari incorrectly removes blocks with the editor.extractSelectedHtml() method after selecting all content.
      • #1306: Fixed: The Font plugin creates nested HTML <span> tags when reapplying the same font multiple times.
      • #3498: Fixed: The editor throws an error during the copy operation when a widget is partially selected.
      • #2517: [Chrome, Firefox, Safari] Fixed: Inserting a new image when the selection partially covers an existing enhanced image widget throws an error.
      • #3007: [Chrome, Firefox, Safari] Fixed: Cannot modify the editor content once the selection is released over a widget.
      • #3698: Fixed: Cutting the selected text when a widget is partially selected merges paragraphs.

      API Changes:

        Gliffy Diagrams

          Zeplin

            Attachments

              Issue Links

                Activity

                  People

                  • Assignee:
                    farreri Miguel Pellicer
                    Reporter:
                    farreri Miguel Pellicer
                  • Votes:
                    0 Vote for this issue
                    Watchers:
                    1 Start watching this issue

                    Dates

                    • Created:
                      Updated:
                      Resolved:

                      Git Integration