turnkeylinux.com CKEditor comment area giving error

[l-arnold]

This CKEditor 4.17.1 version is not secure. Consider upgrading to the latest one, 4.24.0-lts.

Unfortunately also, this error message is right in the middle of the typing zone so difficult to see what you are typing there.

as of 7-5-2024/ 7-6-2024

[JedMeister]

Hi @l-arnold

Do you meant the website?

If so I can't reproduce it, although I will double check the website ASAP. IIRC ckeditor in Druapl7 (the website is built on the Drupal7 appliance) is provided by a drupal module and we use the 'security' channel of the module. I'll need to double check exactly how the drupal module security channel works, but it is possible that it's an older version, but with backported sec updates? Similar to how Debian does it.

Or do you mean an appliance? If so, which specific one?

[l-arnold]

I should test on a different browser. This is in Chrome though on my main computer.

[l-arnold]

And I get basically the same in Edge. Perhaps there is some module hanging off of t he two browsers causing this on my system.

Basically, it would seem, Drupal at https://turnkeylinux.org

[JedMeister]

Thanks Landis.

FWIW the reason why I couldn't see it is because I have ckeditor disabled in my account. And even when I enabled it for some reason the error message didn't show? Regardless, I created a new account and I can now see it - thanks for your persistence and additional info.

The TurnKey site is still using D7 (Drupal 7) which is old, but still supported until Jan 2025. However it seems that the newest available ck4 (ckeditor v4) module is insecure and now EOL. There is a newer ck4 release, but it's pay for and the licence is $10k!

The current version of ck5 is free, but not compatible with D7 and I could not find any other WYSIWYG editors that are both compatible with D7 and not EOL. So it seems that we have limited immediate options...

I have disabled it completely for now - which is far from ideal. It means that all further posts will be in plain text (or need to be manually written in html). I have considered just disabling ckeditor for all but the most trusted website users but I'm unclear whether that is a good path or not.

D7 is EOL January next year anyway, so updating the site was already on our radar. But it sucks that we've been caught out by this.

The current version of Drupal is v10 - but the update from D7 is a PITA. So we've already decided to go a different direction and redo the site completely from scratch - as a static site. Although that means that we will still need to do something with the forums. We have yet to finalise exactly which way we would go with the forums, but I'll make the priority of that higher. I have another high priority item in progress, but I aim to get onto working on new forums ASAP.

FYI we have been considering Discourse. It would also make a great appliance but unfortunately the only supported Production install path is via Docker. So we'll need to manually install it ourselves for our site and wait until we have Docker support in our build chain to release an appliance.

Thanks again.

[JedMeister]

Other than disabling ckeditor4 on the website - which I've done - there isn't really any "proper" solution to this. So I'm going to close. Thanks again for the heads up Landis.