CKEditor 4.18.0 has been released with updates including bug fixes for browsers and improved security patches.
CKEditor 4.18.0 provides important security fixes for the HTML processing core module and dialog plugins. It also includes important bug fixes to the Paste From Word plugin in the latest version of Chrome. Additionally, the new version deprecates the end-of-life WebSpellChecker Dialog plugin.
security fixes
A potential security vulnerability in the CKEditor 4 HTML processing core module allows the injection of malformed HTML to bypass content sanitization, which could lead to the execution of JavaScript code (CVE-2022-24728). The new version provides a patch for this vulnerability.
Additionally, the CKEditor 4 team discovered a potential regular expression denial of service vulnerability in the CKEditor 4 dialog plugin during a standard security audit. The vulnerability allows attackers to abuse dialog input validator regular expressions, which can lead to significant performance degradation (CVE-2022-24729) . This vulnerability has been fixed in the current version.
Officials strongly recommend upgrading to the new version to avoid any potential risks.
Fix bugs for browsers
Chrome 98 introduced a bug that caused the pixel unit to be calculated incorrectly in the Paste From Word plugin , resulting in invalid sizing of certain features, such as table borders. This release fixes the issue by updating the convertToPx method that mitigates the issue.
See the release announcement for more .