Headline
CVE-2020-9281: GitHub - ckeditor/ckeditor4: The best enterprise-grade WYSIWYG editor. Fully customizable with countless features and plugins.
A cross-site scripting (XSS) vulnerability in the HTML Data Processor for CKEditor 4.0 before 4.14 allows remote attackers to inject arbitrary web script through a crafted “protected” comment (with the cke_protected syntax).
**CKEditor 4 - Smart WYSIWYG HTML editor **
A highly configurable WYSIWYG HTML editor with hundreds of features, from creating rich text content with captioned images, videos, tables, media embeds, emoji or mentions to pasting from Word and Google Docs and drag&drop image upload.
Supports a broad range of browsers, including legacy ones.
Getting started****Using npm package
npm install --save ckeditor
Use it on your website:
<div id="editor"> <p>This is the editor content.</p> </div> <script src="./node_modules/ckeditor/ckeditor.js"></script> <script> CKEDITOR.replace( ‘editor’ ); </script>
Using CDN
Load the CKEditor 4 script from CDN:
<div id="editor"> <p>This is the editor content.</p> </div> <script src="https://cdn.ckeditor.com/4.13.0/standard/ckeditor.js"></script> <script> CKEDITOR.replace( ‘editor’ ); </script>
Integrating with Angular, React and Vue.js
Refer to official usage guides for the ckeditor4-angular, ckeditor4-react and ckeditor4-vue packages.
Manual download
Visit the CKEditor 4 download section on the CKEditor website to download ready-to-use CKEditor 4 packages or to create a customized CKEditor 4 build.
Features
- Over 500 plugins in the Add-ons Repository.
- Pasting from Microsoft Word, Excel and Google Docs.
- Drag&drop image uploads.
- Media embeds to insert videos, tweets, maps, slideshows.
- Powerful clipboard integration.
- Content quality control with Advanced Content Filter.
- Extensible widget system.
- Custom table selection.
- Accessibility conforming to WCAG and Section 508.
- Over 70 localizations available with full RTL support.
Browser support
IE / Edge
Firefox
Chrome
Chrome (Android)
Safari
iOS Safari
Opera
IE8, IE9, IE10, IE11, Edge
latest version
latest version
latest version
latest version
latest version
latest version
Find out more in the Browser Compatibility guide.
Working with the ckeditor4 repository
Attention: The code in this repository should be used locally and for development purposes only. We do not recommend using it in a production environment because the user experience will be very limited.
Code installation
There is no special installation procedure to install the development code. Simply clone it to any local directory and you are set.
Available branches
This repository contains the following branches:
- master – Development of the upcoming minor release.
- stable – Latest stable release tag point (non-beta).
- latest – Latest release tag point (including betas).
- release/A.B.x (e.g. 4.0.x, 4.1.x) – Release freeze, tests and tagging. Hotfixing.
Note that the master branch is under heavy development. Its code did not pass the release testing phase, though, so it may be unstable.
Additionally, all releases have their respective tags in the following form: 4.4.0, 4.4.1, etc.
Samples
The samples/ folder contains some examples that can be used to test your installation. Visit CKEditor 4 Examples for plenty of samples showcasing numerous editor features, with source code readily available to view, copy and use in your own solution.
Code structure
The development code contains the following main elements:
- Main coding folders:
- core/ – The core API of CKEditor 4. Alone, it does nothing, but it provides the entire JavaScript API that makes the magic happen.
- plugins/ – Contains most of the plugins maintained by the CKEditor 4 core team.
- skin/ – Contains the official default skin of CKEditor 4.
- dev/ – Contains some developer tools.
- tests/ – Contains the CKEditor 4 tests suite.
Building a release
A release-optimized version of the development code can be easily created locally. The dev/builder/build.sh script can be used for that purpose:
A “release-ready” working copy of your development code will be built in the new dev/builder/release/ folder. An Internet connection is necessary to run the builder, for the first time at least.
Testing environment
Read more on how to set up the environment and execute tests in the CKEditor 4 Testing Environment guide.
Reporting issues
Use the CKEditor 4 GitHub issue page to report bugs and feature requests.
License
Copyright © 2003-2022, CKSource Holding sp. z o.o. All rights reserved.
For licensing, see LICENSE.md or https://ckeditor.com/legal/ckeditor-oss-license
Related news
An improper neutralization of input during web page generation vulnerability [CWE-79] exists in FortiManager and FortiAnalyzer 6.0.0 all versions, 6.2.0 all versions, 6.4.0 through 6.4.8, and 7.0.0 through 7.0.4. Report templates may allow a low privilege level attacker to perform an XSS attack via posting a crafted CKeditor "protected" comment as described in CVE-2020-9281.
Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.1 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
Vulnerability in the Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u291, 8u281, 11.0.10, 16; Java SE Embedded: 8u281; Oracle GraalVM Enterprise Edition: 19.3.5, 20.3.1.2 and 21.0.0.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 5.3 (Integrity impacts). CV...
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 5.7.33 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.18. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle VM VirtualBox accessible data. CVSS 3.1 Base Score 6.0 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N).
Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.21 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).