search

ckeditor / ckeditor4

The best enterprise-grade WYSIWYG editor. Fully customizable with countless features and plugins.
https://ckeditor.com/ckeditor-4
Other
5.78k stars 2.46k forks source link

Important update for CKEditor 4 Users #5519

Open jacekbogdanski opened 2 months ago

jacekbogdanski commented 2 months ago

As we approach the one-year anniversary of CKEditor 4 reaching its end of life, it's crucial to emphasize the importance of maintaining a secure software environment.

Starting July 1st, we'll activate security notifications for CKEditor 4. This change will impact the open-source version 4.22 and all earlier versions served via our CDN. These notifications will alert users and integrators to the presence of unsecured CKEditor 4 versions, which may be vulnerable to security threats. As of this writing, the latest secure version of CKEditor 4 is 4.24.0-lts. Applications using secure CKEditor 4 versions won’t be impacted by these notifications. image Our aim with this initiative is to raise awareness about the risks associated with using version 4.22 and below, which have known security vulnerabilities. We want to ensure all integrators are informed and able to make informed decisions about their next steps.

Options for Integrators

For integrators, we recognize that seeing these notifications may not always be ideal. Therefore, CKEditor 4 includes an option to disable these security notifications. However, while this may offer temporary relief, we strongly advise against continuing to use an unsecured version of CKEditor 4. Disabling notifications without addressing underlying security risks leaves your application exposed to potential threats.

For those interested in using the latest, secure version of CKEditor 4, reach out to us regarding obtaining a CKE 4 LTS license.

You may manually disable security notifications for the editor using the following configuration option: config.versionCheck

CKEDITOR.replace( 'editor', {
    // Disable security notifications.
    versionCheck: false
} );

We’ve prepared additional content to help you learn more about our Extended Support Model for CKEditor 4 and how we can help keep your application secure.

QMiqTx6DHn1bA9yaNaAbsD3CLG8gTmd4 commented 4 days ago

This change will impact the open-source version 4.22 and all earlier versions served via our CDN

What's your take on immutability of versions, also in light of possible (and frankly advised) use of https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity on the web?