Support CKEditor 4.18

Created on 16 March 2022, almost 3 years ago
Updated 26 October 2023, about 1 year ago

Drupal Core has updated 9.2 and 9.3 today β†’ following a security update to the CKEditor library.

For Drupal 7 sites, this requires updating the CKEditor library wherever it is used to 4.18, the version that addresses the vulnerability.

I use CKEditor through this module, and have updated the library on the sites I maintain.

However, I'm seeing this message, because the module has not been tested with anything beyond 4.17:

The installed editor library version was changed from 4.16.1.cae20318d4 to 4.18.0.5fe059002f3 since this profile was last saved. Wysiwyg was only able to adapt the profile to editor version 4.17.1.f6dd30807a, any additional differences to the installed version will not be accounted for and the editor may not work as expected. The installed version has not been tested, the editor may not work as expected. This message is shown until the profile is saved while a verified version is installed.

It would seem that the Wysiwyg module needs an update to show 4.18 as a supported library version.

✨ Feature request
Status

Closed: duplicate

Version

2.0

Component

Editor - CKEditor

Created by

πŸ‡¬πŸ‡§United Kingdom JamesOakley Kent, UK

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • πŸ‡³πŸ‡΄Norway steinmb

    Move to feature req. and they are normally never critical.

  • πŸ‡¬πŸ‡§United Kingdom JamesOakley Kent, UK

    "Never normally critical" may generally be true. But what we're discussing here is a security vulnerability fixed and published upstream by CKEditor (in March 2022), leading the Drupal security team to release a core update to ensure Drupal 9.x and above does not use the vulnerable library. Drupal 7 needs this module to power the editor, and this module does not support the versions of CKEditor that incorporate the security fix.

    I'd say allowing site maintainers to update the CKEditor library to one without vulnerabilities is more pressing than "normal".

  • πŸ‡ΈπŸ‡ͺSweden twod Sweden

    No specific CKEditor 4 version is not bundled with Wysiwyg module and there is nothing preventing anyone from installing 4.18 or any newer version.
    The message you see if you do install a newer version really only means we can't guarantee an update does not need a migration path to automatically reconfigure the editor profile to compensate for changes outside the current range. The CKEditor team have been very good at keeping with the promises of semantic versioning and 4.x has been very stable for a long time so I doubt anyone would actually have any issues.

    Admittedly, I could have done a better job of publishing new versions of Wysiwyg module, but since it's just a warning message I've not considered it critical so far.

    I'll see if I can get some time this weekend and pull together some cleanup patches for a new release, including bumping any "supported version" ranges as needed.

    Many thanks again to @steinmb, who is plowing through the issue queue, reminding me there are still things to do here, and that it would not be wasted time to keep D7 contrib modules rolling.

  • Status changed to Closed: duplicate about 1 year ago
  • πŸ‡ΊπŸ‡ΈUnited States hargobind Austin, Texas

    Now that ✨ Update to CKEditor 4.21.0 Fixed has been committed and released, I'm marking this issue as a duplicate.

    I've been running a few sites with patch #2 in production for a long time and never ran into #6.

    I added @davidrobinson_pw's comments from #5 to the issue where the fix was committed. Please continue the discussion there if the upgrade with spellchecker is still a problem.

Production build 0.71.5 2024