CKEditor 4.15.1 has been released: https://ckeditor.com/blog/CKEditor-4.15.1-with-a-security-patch-released/
I encountered this Bug in Drupal 8.9.6, and the new release fixes it: https://github.com/ckeditor/ckeditor4/issues/4286
See also:
#1858210: [meta] Content editing experience follow-ups — in-place editing and WYSIWYG
#1950098: Update CKEditor library to 4.1
#2036253: Update CKEditor library to 4.2
#2039163: Update CKEditor library to 4.4
#2271051: Update CKEditor library to 4.4.4
#2345961: Update CKEditor library to 4.4.5
#2384581: Security: Update CKEditor library to 4.4.6
#2415111: Update CKEditor library to 4.4.7
#2521820: Update CKEditor library to 4.5.3
#2321583: Update CKEditor library to 4.5.5
#2663566: Update CKEditor library to 4.5.7
#2698587: Update CKEditor library to 4.5.8
#2724225: Update CKEditor library to 4.5.9
#2765751: Update CKEditor library to 4.5.10
#2797427: Update CKEditor library to 4.5.11
#2828494: Update CKEditor library to 4.6
#2848215: Update CKEditor library to 4.6.2
#2893566: Update CKEditor library to 4.7.1
#2904142: Update CKEditor library to 4.7.2
#2908864: Update CKEditor library to 4.7.3
#2926932: Update CKEditor library to 4.8.0
#2962330: Update CKEditor library to 4.9.2
#2983516: Update CKEditor library to 4.10.0
#2999691: Update CKEditor library to 4.10.1
#3035933: Update CKEditor to 4.11.3
#3050757: Update CKEditor to 4.11.4
#3072382: Update CKEditor to version 4.13
#3105327: Update CKEditor to version 4.13.1
#3120022: Update CKEditor to version 4.14.0
#3171952: Update CKEditor to version 4.15.0
Release notes snippet
CKEditor has been updated from from 4.15.0 to 4.15.1 for a security fix that does not affect Drupal.
Comment | File | Size | Author |
---|---|---|---|
#24 | 3183749-update-ckeditor-4-15-1--4.patch | 2.42 MB | xdong |
#16 | interdiff_13_16.txt | 1.11 MB | Spokje |
#16 | 3183749-update_ckeditor_4_15_1-16.patch | 2.17 MB | Spokje |
#12 | png-diff.png | 34.44 KB | bnjmnm |
Comments
Comment #2
xdong CreditAttribution: xdong commentedComment #3
FeuerwagenComment #4
cilefen CreditAttribution: cilefen commentedComment #5
xdong CreditAttribution: xdong commentedComment #6
xjmComment #7
xjm9.1.x and 9.2.x are on 4.15.0, so this will be just a patch-level update for those branches and allowable in a patch release. Thanks!
Comment #8
xjmComment #9
xjmNote that CKEditor updates will probably not be backported to 8.9.x because it is on 4.14.0 and the latest minor version is 4.15, so it would require a minor-level dependency update, and we don't usually do those in patch releases unless there is a security issue that affects Drupal. Drupal 8.9.x sites should update to Drupal 9.1 or higher to get the bugfixes in the latest releases (once this is committed, of course).
Comment #10
Wim LeersComment #11
Wim LeersIt looks like there are other bug fixes that Drupal 9 would benefit from:
The patch looks sound, and it updates
core.libraries.yml
as expected. All that remains is a round of manual testing and confirming that others can reproduce this build.Comment #12
bnjmnmI followed the steps in build-config.js and ran into several files that differed between the build I created and the one in the patch. Preliminary review suggests the differences are inconsequential, but it would be good to determine why the differences are there, and I tit would be good to have an additional contributor try a build and see if they run into the same thing as that may indicate the differences are due to something incorrect with my build process. This was built in OSX 10.15.4, with Java SE development kit version 15.0.1 (which I was prompted to install before I could perform the build)
Most of the differences I found appear to be whitespace related, based on doing a diff with/without the option to ignore whitespace changes
Whitespace is considered in the diff:
Whitespace not considered in diff:
The ckeditor.js and several css files are only different in the value assigned to the
timestamp:
property. I believe this is an expected difference since it appears to be a cache busting string based on( new Date() ).valueOf()
, but mentioning here just in case.My build
(?:\?.*|;.*)?$/i,h={timestamp:"KBVD",version:"4.15.1",
Patch
(?:\?.*|;.*)?$/i,h={timestamp:"KAK3",version:"4.15.1",
I also compared the differing .png files, which seem identical visually. However, as seen in this comparison of icons.png the version in my build is larger, and was significantly different when compared with
vbindiff
, but I'm not sure what accounts for those differences.Most likely the above differences have easy explanations, but it would be good to have them explained before proceeding.
Comment #13
SpokjeI've also followed the instructions in
core/assets/vendor/ckeditor/build-config.js
(and, if that actually matters, am the patch creator for the upgrade to 4.15.0 #3171952-3: Update CKEditor to version 4.15.0, so at least I've danced this jig before...)I've attached my patch and an interdiff with patch #5
To address (some of) the observations by @bnjmnm:
Same here
In my CKEditor build no PNG files were
harmedchanged in any way, which is what I expected to happen and is the same behaviour as with the patch for CKEditor 4.15.0.Let's see if TestBot likes my version.
Comment #14
SpokjeTests are green, did some (very minor) manual testing and didn't find any problems.
Set to
Needs review
to get some thorough manual testing.Comment #15
zrpnrI used the build-config.js file to create a build of 4.15.1 and can confirm my build matched #13, with no changes to the png files.
Didn't notice the whitespace problems pointed out in #12, my CHANGES.md and LICENSE.md were identical to #5 and #13.
I also saw the same "timestamp" differences in my build, for example in editor_ie8.css
in #13
icons_hidpi.png?t=KBVF
while in mine it isicons_hidpi.png?t=L061
.That same timestamp is present in the other css files and in ckeditor.js, but I agree with @bnjmnm that it's a cache busting string and doesn't matter at all to the patch.
The only other difference from my build to the patch in #13 was the copyright in the comments in ckeditor.js which now generates 2021 instead of 2020.
The ckeditor code part of the patches in #5 and #13 are identical except for the timestamps.
I manually tested with #5 and my own build and everything worked normally,
I checked the editor config page, used quickedit and tested the editor by changing content, adding a media element and an inline image.
The current build-config leaves a
.github
folder,should that be added to the ignore section?
Putting back to "needs work" because the patch in #13 is missing the
core.libraries.yml
file and the one in #5 has the altered png files.Comment #16
SpokjeThis patch should take of that
Updated
core.libraries.yml
and added a reminder tocore/assets/vendor/ckeditor/build-config.js
to do so for further builds.Well spotted, did just that and also added the
.nvmrc
file to the ignore section ofcore/assets/vendor/ckeditor/build-config.js
that was left after the build.Comment #17
SpokjeComment #18
lauriiiI confirmed that CKEditor was updated correctly by rebuilding the package and comparing the results with
git diff --color-words=.
. Only changes between the results were hashes that are designed to be unique on every build.Confirmed that there aren't any big regressions by manually testing basic functionality, Media integration, CKEditor toolbar configuration UI, and Quick Edit.
I also checked the CKEditor 4 issue queue for any major regressions and it seems none is reported at the moment.
Comment #21
catchCommitted/pushed to 9.2.x and cherry-picked to 9.1.x, thanks!
Comment #22
Wim Leers+1, well done.
Better still :)
Thanks all for pushing this across the finish line!
Comment #24
xdong CreditAttribution: xdong commentedPatch for drupal 8.9.14.