Warning CKEditor 4.14.0 version is not secure

[localhostPIB]

I get the message:" This Consider upgrading to the latest one, 4.24.0-lts."

How to upgrade this version ?

[crlandwe]

+1, you can hide it with css.

[AleksaPetrovicRBT]

Hello, indeed you can hide it with CSS, but is this the right solution? In my humble opinion, we should (always) aim for the best and secure libraries. This is what is suggested in the release notes by CKEditor. Can you please let me know whether Flask CKEditor has a plan to fix this and what is the ETA?

[localhostPIB]

+1, you can hide it with css.

You can hide it, but the (potential security) problem remains

[crlandwe]

You can hide it, but the (potential security) problem remains

I obviously agree with this, hence the bump and making myself part of the conversation. This feature was first requested in 2020, and here we are in 2024. I suggested this as a band-aid, because I would have hoards of users submitting support tickets about this.

[localhostPIB]

You can hide it, but the (potential security) problem remains

I obviously agree with this, hence the bump and making myself part of the conversation. This feature was first requested in 2020, and here we are in 2024. I suggested this as a band-aid, because I would have hoards of users submitting support tickets about this.

It's certainly not wrong as a quick band-aid, but I hope that there will be a solution that will satisfy us all.

[remyzandwijk]

When using the CDN (meaning: not loading the CKEditor resources from a local location), it should be possible to override the version by using this in the templates:

{{ ckeditor.load(version='4.24.0-lts') }}

I guess it would be better to have something like app.config['CKEDITOR_VERSION'] = '4.24.0-lts', but that's not the case right now.

[localhostPIB]

When using the CDN (meaning: not loading the CKEditor resources from a local location), it should be possible to override the version by using this in the templates:

{{ ckeditor.load(version='4.24.0-lts') }}

I guess it would be better to have something like app.config['CKEDITOR_VERSION'] = '4.24.0-lts', but that's not the case right now.

The idea is good, but now there's probably a paid version:

[CKEDITOR]: The license key is missing or invalid.

If you suddenly started to see this message, this may mean you accidentally updated CKEditor 4 to the LTS version (4.23.0 and above). This version of the editor is under commercial terms and requires acquiring an "Extended Support Model" contract - https://ckeditor.com/ckeditor-4-support/

For more information about this error go to https://ckeditor.com/docs/ckeditor4/latest/guide/dev_errors.html#invalid-lts-license-key

[remyzandwijk]

Right, I was unaware of that. The latest non-LTS version seems to be 4.22.1, released on June 30th 2023. That version has the security issue found in January 2024 I think, so that's not an option.

[localhostPIB]

When I want to include CKEditor 5 I get the following message on my Browser:

"Uncaught SyntaxError: export declarations may only appear at top level of a module".

This is how I integrated it:

{{ ckeditor.load(custom_url=url_for('static', filename='/js/lib/ckeditor5.js')) }}

[greyli]

You can disable the version check with custom_configoption like this:

{{ ckeditor.config(name='body', custom_config='versionCheck: false') }}

I will default this option to false in the next fix release, similar to what Django-CKEditor did.

A permanent fix would be upgrading to CKEditor 5, which is currently unsupported. Since CKEditor 5 has changed the license to GPL, I don't think we will move to CKEditor 5.

Hence, for security considerations, you may want to:

• Upgrade to use the latest non-LTS version (i.e. the last open source release of CKEditor 4: 4.22.1) with {{ ckeditor.load(version='4.22.1') }}, then:
  • Move to the paid CKEditor 4 LTS version
  • Integrate CKEditor 5 directly if you are okay with its GPL license
  • Move to alternative editors or extensions

[localhostPIB]

A permanent fix would be upgrading to CKEditor 5, which is currently unsupported. Since CKEditor 5 has changed the license to GPL, I don't think we will move to CKEditor 5.

I was afraid of something like this

[ai-abdellah]

even the version 4.22.1 is not secure.

[greyli]

In the 1.0.0 version, the version check has been disabled.