CKEditor 4.17 with enhanced Base64 images support, delayed editor initialization, and security fixes
We are happy to announce the release of CKEditor 4.17. In this major release, we are introducing a highly requested feature allowing developers to reattach the editor to the HTML DOM and delay its initialization. This release also comes with improved Base64 images support for clipboard operations, discontinued support for Flash plugin, and other enhancements prepared by both CKEditor 4 team and our lovely community!
Security fixes
A potential security vulnerability in CKEditor 4 HTML processing core module (CVE-2021-41165) has been fixed. The vulnerability allowed to inject malformed comments HTML bypassing content sanitization, which could result in executing JavaScript code. Thanks for reporting this to William Bowling.
There was also a potential security vulnerability in CKEditor 4 Advanced Content Filter (ACF) core module (CVE-2021-41164), that allowed to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. Reported by Maurice Dauer. Thanks!
Detaching editor from the HTML DOM Tree
There were two large important changes introduced related to detaching the editor from the HTML DOM:
The first one is the option to delay editor initialization, so the editor will try to initialize itself after attaching the editor element to the DOM. Delayed editor creation starts when you invoke casual replace()
or inline()
methods, but the editor is not created immediately. The instance creation is postponed and could be resumed automatically or on-demand.
This feature is useful for 3rd party integrations like Angular, React, and Vue, where the process of initializing DOM may be asynchronous.
The other introduced change is the possibility to reattach the editor once it has been attached to the DOM and it will be completely functional after that procedure. This feature also finds its place in framework integrations and dynamic web pages where the same editor instance could be reused in other parts of the application.
You can read more about these newly introduced changes in the dedicated Delayed editor creation guide.
Base64 images handling improvements
We have improved the way Base64 images are served in the editor and introduced two new ways to insert this kind of image into the content. Pasting images as Base64 from the clipboard in all browsers except Internet Explorer. It is also now possible to drag and drop images straight into the content as Base64.
Flash support ended
Adobe has ended its support of Flash Player on December 31, 2020, and blocked Flash content from running in Flash Player beginning January 12, 2021.
Due to that fact, we have decided to deprecate and remove the Flash plugin from CKEditor 4 to help protect users’ systems and discourage using insecure software. This change will not break your current editor configuration, but the Flash plugin will no longer be active.
Other improvements
We would like to acknowledge the work of our great community and the improvements brought by community contributors:
- Improved the performance of pasting images in high resolution in Chrome browser. Thanks to FlowIT-JIT!
- Added support for loading content templates from HTML files via HTTP requests. Thanks to Fynn96!
- Added support for inserting content next to block widgets using keyboard navigation. Thanks to bunglegrind!
You can find more improvement and new changes in the release changelog, so be sure to read it!
Important bug fixes
- Links and images were sometimes not displayed properly when printing editor content.
- Improved support for print and preview plugins when using the editor from the CDN.
- Fixed the issue where the autolink plugin incorrectly escaped
&
characters when pasting links into the editor.
Learn more about fixed issues in 4.17 by reading our release changelog!
Release version
Due to a regression in CKEeditor 4.17.0 version that was only revealed after the release and affected a limited area of operation, CSS assets loaded via relative links started to point into invalid location when loaded from external resources.
We have therefore decided to immediately release CKEditor 4.17.1 that fixed this problem. If you have already upgraded to v4.17.0, make sure to upgrade to v4.17.1 to avoid this regression.
Release notes
Check out the release notes and contact us for more information.
Download
Download CKEditor now and upgrade your installation or use your favorite package manager to install it!
License
CKEditor is available under Open Source and Commercial licenses. Full details can be found on our license page.
Reporting issues and contributing
Please report any new issues in the CKEditor 4 development repository and follow the instructions in the issue template. You can also contribute code and provide editor patches through pull requests.
Support
Community support is available through Stack Overflow. Visit the resources page for additional options.