Headline
CVE-2021-21254: Release v25.0.0 · ckeditor/ckeditor5
CKEditor 5 is an open source rich text editor framework with a modular architecture. The CKEditor 5 Markdown plugin (@ckeditor/ckeditor5-markdown-gfm) before version 25.0.0 has a regex denial of service (ReDoS) vulnerability. The vulnerability allowed to abuse link recognition regular expression, which could cause a significant performance drop resulting in browser tab freeze. It affects all users using CKEditor 5 Markdown plugin at version <= 24.0.0. The problem has been recognized and patched. The fix will be available in version 25.0.0.
Release highlights
We are happy to announce the release of CKEditor 5 v25.0.0 that contains a security fix for the Markdown-GFM package. Even though this is a low impact issue and only affects the victim’s browser with no risk of data leakage, an upgrade is highly recommended! You can read more details in the relevant security advisory and contact us if you have more questions.
This release brings a few improvements and bug fixes:
- UX improvements to editing around the block boundaries (#8137, #7636).
- Formatting large content will not freeze the editor.
- Uploading Base64 images will no longer cause a CSP violation.
- Unlinking an image will not crash the editor anymore.
Collaboration features
The CKEditor 5 Collaboration features changelog can be found here: https://ckeditor.com/collaboration/changelog.
MINOR BREAKING CHANGES ℹ️
- ui: Configuration passed to ToolbarView.fillFromConfig() will be stripped off of any leading, trailing, and duplicated separators (‘|’ and '-').
Features
- autoformat: The horizontal line can be inserted by typing — in an empty block. Closes #5720. (commit)
- autoformat: Square brackets should convert the current line to a to-do list item. Closes #7518. (commit)
- block-quote: The block quote should be split on the Backspace key press at the beginning of the block quote. Closes #7636. (commit)
- engine: The new DataController#htmlProcessor property is initialized with the instance of the HtmlDataProcessor class and assigned to the DataController#processor property by default. (commit)
- typing: An empty block element at the beginning of the limit element should be converted to a paragraph on the Backspace key press. Closes #8137. (commit)
- ui: Implemented additional panel positions for the DropdownView class to address edge cases when the panel is cut due to small screen size (see #7700, #8669). (commit)
- ui: Items baked into the editor bundles can now be removed from the toolbar by using config.toolbar.removeItems. Closes #7945. (commit)
Bug fixes
- autoformat: Formatting will not be applied to snake_case_scenarios anymore. Closes #2388. (commit)
- engine: The setData() helper in the dev-utils model should support the batchType option. Closes #7947. (commit)
- export-pdf: The command should use the proper token if executed without providing a token in the command options.
- export-word: The command should use the proper token if executed without providing a token in the command options.
- horizontal-line: The horizontal line feature should require the Widget plugin. Closes #8825. (commit)
- html-embed: Pasting an HTML embed widget from the clipboard will not clear its content anymore. Closes #8789. (commit)
- html-embed: The HTML embed plugin should require the Widget plugin. Closes #8720. (commit)
- html-embed: The save button should close the source mode even if there are no changes. Closes #8560. (commit)
- image: The image plugins can be loaded in any order without causing an error. Closes #8270. (commit)
- image: Allow pasting an image with a data URL scheme as the value of the src attribute if strict CSP rules are defined. Closes #7957. (commit)
- image: Fixed the image resizer for images with links. Closes #8749. (commit)
- image: An empty image caption should be hidden if the editor is in read-only mode. Closes #5168. (commit)
- link: Removing a link from an image should not throw an error when link decorators are also present. Closes #8401. (commit)
- list: The delete event handler is now listening on a higher priority to avoid being intercepted by the block quote and widget handlers. Closes #8706. (commit)
- pagination: The pagination plugin should be disabled and a warning should be displayed if its configuration is missing.
- page-break: Dropping an image on the page break widget should not crash the editor. Closes #8788. (commit)
- page-break: The page break feature should require the Widget plugin. Closes #8825. (commit)
- special-characters: The special characters dropdown should always fit into the viewport. Closes #7700, #8669. (commit)
- table: The contents of nested tables are no longer going through upcasting. Closes #8393. (commit)
- table: The table properties balloon should always follow the table when the alignment changes. Closes #6223. (commit)
- theme-lark: The HTML embed text in a disabled input in Safari on iOS should have the same color as in other browsers. Closes #8320. (commit)
- theme-lark: The dropdown button should not have an inner shadow in active state. Closes #8699. (commit)
- ui: The “Show more items” toolbar button tooltip should not overflow the editor. Closes #8655. (commit)
- ui: The '-' (new line) divider should not be rendered when grouping is enabled. Closes #8582. (commit)
- word-count: The word count feature should consider a string with a special character as a single word. Closes #8078. (commit)
Other changes
- engine: Optimized the Model#insertContent() function to use as few operations as possible to reduce the time needed to handle pasting large content into the editor. Closes #8054, #715. (commit)
- engine: Improved performance of the Differ#getChanges() function. Closes #8188. (commit)
- export-word: The timezone option should be passed to the Export to Word converter.
- html-embed: A placeholder should be displayed if the HTML snippet is not previewable or empty. Closes #8435. (commit)
- link: Improved how the fake selection marker for the link UI is created. Closes #8092. (commit)
- mention: The conversion API reference is no longer passed down to the attribute properties. Closes #8370. (commit)
- Updated translations. (commit, commit)
Released packages
Check out the Versioning policy guide for more information.
Released packages (summary)
Minor releases (contain minor breaking changes):
- @ckeditor/ckeditor5-ui: v24.0.0 => v25.0.0
Releases containing new features:
- @ckeditor/ckeditor5-autoformat: v24.0.0 => v25.0.0
- @ckeditor/ckeditor5-block-quote: v24.0.0 => v25.0.0
- @ckeditor/ckeditor5-build-classic: v24.0.0 => v25.0.0
- @ckeditor/ckeditor5-clipboard: v24.0.0 => v25.0.0
- @ckeditor/ckeditor5-editor-balloon: v24.0.0 => v25.0.0
- @ckeditor/ckeditor5-editor-classic: v24.0.0 => v25.0.0
- @ckeditor/ckeditor5-editor-decoupled: v24.0.0 => v25.0.0
- @ckeditor/ckeditor5-editor-inline: v24.0.0 => v25.0.0
- @ckeditor/ckeditor5-engine: v24.0.0 => v25.0.0
- @ckeditor/ckeditor5-horizontal-line: v24.0.0 => v25.0.0
- @ckeditor/ckeditor5-html-embed: v24.0.0 => v25.0.0
- @ckeditor/ckeditor5-list: v24.0.0 => v25.0.0
- @ckeditor/ckeditor5-special-characters: v24.0.0 => v25.0.0
- @ckeditor/ckeditor5-theme-lark: v24.0.0 => v25.0.0
- @ckeditor/ckeditor5-typing: v24.0.0 => v25.0.0
Other releases:
- @ckeditor/ckeditor-cloud-services-core: v24.0.0 => v25.0.0
- @ckeditor/ckeditor5-adapter-ckfinder: v24.0.0 => v25.0.0
- @ckeditor/ckeditor5-alignment: v24.0.0 => v25.0.0
- @ckeditor/ckeditor5-autosave: v24.0.0 => v25.0.0
- @ckeditor/ckeditor5-basic-styles: v24.0.0 => v25.0.0
- @ckeditor/ckeditor5-build-balloon: v24.0.0 => v25.0.0
- @ckeditor/ckeditor5-build-balloon-block: v24.0.0 => v25.0.0
- @ckeditor/ckeditor5-build-decoupled-document: v24.0.0 => v25.0.0
- @ckeditor/ckeditor5-build-inline: v24.0.0 => v25.0.0
- @ckeditor/ckeditor5-ckfinder: v24.0.0 => v25.0.0
- @ckeditor/ckeditor5-cloud-services: v24.0.0 => v25.0.0
- @ckeditor/ckeditor5-code-block: v24.0.0 => v25.0.0
- @ckeditor/ckeditor5-core: v24.0.0 => v25.0.0
- @ckeditor/ckeditor5-easy-image: v24.0.0 => v25.0.0
- @ckeditor/ckeditor5-enter: v24.0.0 => v25.0.0
- @ckeditor/ckeditor5-essentials: v24.0.0 => v25.0.0
- @ckeditor/ckeditor5-font: v24.0.0 => v25.0.0
- @ckeditor/ckeditor5-heading: v24.0.0 => v25.0.0
- @ckeditor/ckeditor5-highlight: v24.0.0 => v25.0.0
- @ckeditor/ckeditor5-image: v24.0.0 => v25.0.0
- @ckeditor/ckeditor5-indent: v24.0.0 => v25.0.0
- @ckeditor/ckeditor5-link: v24.0.0 => v25.0.0
- @ckeditor/ckeditor5-markdown-gfm: v24.0.0 => v25.0.0
- @ckeditor/ckeditor5-media-embed: v24.0.0 => v25.0.0
- @ckeditor/ckeditor5-mention: v24.0.0 => v25.0.0
- @ckeditor/ckeditor5-page-break: v24.0.0 => v25.0.0
- @ckeditor/ckeditor5-paragraph: v24.0.0 => v25.0.0
- @ckeditor/ckeditor5-paste-from-office: v24.0.0 => v25.0.0
- @ckeditor/ckeditor5-remove-format: v24.0.0 => v25.0.0
- @ckeditor/ckeditor5-restricted-editing: v24.0.0 => v25.0.0
- @ckeditor/ckeditor5-select-all: v24.0.0 => v25.0.0
- @ckeditor/ckeditor5-table: v24.0.0 => v25.0.0
- @ckeditor/ckeditor5-undo: v24.0.0 => v25.0.0
- @ckeditor/ckeditor5-upload: v24.0.0 => v25.0.0
- @ckeditor/ckeditor5-utils: v24.0.0 => v25.0.0
- @ckeditor/ckeditor5-watchdog: v24.0.0 => v25.0.0
- @ckeditor/ckeditor5-widget: v24.0.0 => v25.0.0
- @ckeditor/ckeditor5-word-count: v24.0.0 => v25.0.0