Skip to content

Commit

Permalink
Added CKEditor 4.24.0 standard-all.
Browse files Browse the repository at this point in the history
  • Loading branch information
jacekbogdanski committed Feb 7, 2024
1 parent 791f951 commit f51eacd
Show file tree
Hide file tree
Showing 120 changed files with 1,565 additions and 994 deletions.
26 changes: 26 additions & 0 deletions CHANGES.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,32 @@

If you would like to keep access to future CKEditor 4 security patches, check the [Extended Support Model](https://ckeditor.com/ckeditor-4-support/), which guarantees **security updates and critical bug fixes until December 2026**. Alternatively, [upgrade to CKEditor 5](https://ckeditor.com/docs/ckeditor5/latest/updating/ckeditor4/migration-from-ckeditor-4.html).

## CKEditor 4.24.0-lts

⚠️️️ Please note that this release is a part of [CKEditor 4 Extended Support Model](https://ckeditor.com/ckeditor-4-support/), only available to customers who decided to acquire the LTS (Long Term Support) version of the editor. **All editor versions below 4.24.0-lts can no longer be considered as secure!** ⚠️

**Security Updates:**

* Fixed cross-site scripting (XSS) vulnerability caused by incorrect CDATA detection reported by [Michal Frýba](https://cz.linkedin.com/in/michal-fryba), [ALEF NULA](https://www.alefnula.com/).

Issue summary: The vulnerability allowed to inject malformed HTML content bypassing Advanced Content Filtering mechanism, which could result in executing JavaScript code. See [GHA](https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-fq6h-4g8v-qqvm) for more details.

* Fixed cross-site scripting (XSS) vulnerability in AJAX sample reported by Rafael Pedrero, see [INCIBE](https://www.incibe.es/en/incibe-cert/notices/aviso/cross-site-scripting-vulnerability-cksource-ckeditor) report.

Issue summary: The vulnerability allowed to execute JavaScript code by abusing the AJAX sample. See [GHA](https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-wh5w-82f3-wrxh) for more details.

* Cross-site scripting (XSS) vulnerability in samples with enabled the preview feature reported by Marcin Wyczechowski & Michał Majchrowicz, AFINE Team.

Issue summary: The vulnerability allowed to execute JavaScript code by abusing the misconfigured preview feature. See [GHA](https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-mw2c-vx6j-mg76) for more details.

You can read more details in the relevant security advisories. [Contact us]([email protected]) if you have more questions.

**An upgrade is highly recommended!**

Fixed Issues:

* Fixed: The CDATA parsing mechanism incorrectly detects the end of CDATA content. This fix unifies how style and script elements are parsed with the browser's behavior.

## CKEditor 4.23.0-lts

This release introduces the LTS (”Long Term Support”) version of the editor, available under commercial terms (["Extended Support Model"](https://ckeditor.com/ckeditor-4-support/)).
Expand Down
1,620 changes: 810 additions & 810 deletions ckeditor.js

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion lang/af.js

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading

0 comments on commit f51eacd

Please sign in to comment.