CKE Editor warning 4.22.1 version not secure


suddenly a warning from CKEditor pops directly into the Editor Textarea, that the used CKE Version is not secure.
As far as im aware CKE 4.24.0-lts can not be integrated as it is a paid/commercial lts version.

So how to suppress this warning?

Edit: from the changelog of CKE:
Release notes |
" :warning: Please note that this release is a part of CKEditor 4 Extended Support Model, only available to customers who decided to acquire the LTS (Long Term Support) version of the editor. All editor versions below 4.24.0-lts can no longer be considered as secure! :warning:"


Thanks for the warning @TomTheWise, looks like it started today, and it seems to show up on a pretty wide range of XWiki versions…

We need to see how we are going to handle that, starting with understand if XWiki really is impacted by those vulnerabilities (seems to be mostly about Cross-site scripting (XSS) vulnerability caused by incorrect CDATA detection · Advisory · ckeditor/ckeditor4 · GitHub). It’s not really my area of expertise, but we should have the answer quickly.

Thanks, just confirmed on our instance too :open_mouth:

I hope CKE allows the check to be be disabled somewehere.

Hello all,

apparently the check of the version of the editor is a new configuration option, described here Class Config (CKEDITOR.config) | CKEditor 4 API docs .

It was added in CKEditor version 4.22.0; XWiki upgraded to CKEditor 4.22.1 in this ticket Loading... .

From what I tested and from what I understand from the ckeditor configuration, the check itself can be disabled by adding:

config.versionCheck = false;

in the CKEditor configuration in XWiki in the administration in the advanced section of the editor configuration: .

This will disable the warning because it will prevent the editor from checking its own version, but it will not fix the version of the editor in any way.

Hope this helps,


Wow, thanks. That was really quick!

Of course, but my users would have no way to fix this on their own, so there’s no real point in having them to see the warning.

FTR @mflorea has found why this warning started to be displayed yesterday:

The HTTP request to was failing before yesterday, because it was cross domain and didn’t provide the right CORS HTTP headers. CKSource decided to “fix” this yesterday, thus enabling the warning. I can clearly see

access-control-allow-origin: *

in the response headers.

1 Like

It’s now been fixed in Loading...

1 Like

Where (on linux) to find the config-file.
Which config file? There are many.

Not sure why you mention a configuration file. You might want to look at the previous message from @lucaa.

Thank you very much!
It seems to be necessary to change the configuration in every Sub-Wiki, not only in the Main-Wiki.

It’s within the XWiki-Administration page (for every Sub-Wiki separately). Look at WYSIWYG Editor Section an Advanced Configurations…

Yes, but it should be possible to write a script that updates the config (CKEditor.Config page) in all wikis.

@gdelhumeau was kind to publish a snippet with the Groovy code he used to update the CKEditor configuration on all (sub)wikis from an XWiki instance he’s managing. See .


1 Like

I also wanted to mention that we’ve analyzed the 3 security issues fixed by CKEditor in their private version 4.24.0 and they don’t affect XWiki.

1 Like

Just out of curiosity, is there an plan on a timeline to when to decide on the new editor?
I just checked the page you guys made, WOW a lot of new informmation since I last saw that page in in november.

No precise timeline yet. The exploration is being done in the context of Cristal. For the selection, I’d say mid of the year but the implement will take time. Maybe have a first version before the end of the year.

See for the work that was started.