CKE Editor warning 4.22.1 version not secure

TomTheWise · February 7, 2024, 3:45pm

Hello,

suddenly a warning from CKEditor pops directly into the Editor Textarea, that the used CKE Version is not secure.
As far as im aware CKE 4.24.0-lts can not be integrated as it is a paid/commercial lts version.

So how to suppress this warning?
CEKWarning

Edit: from the changelog of CKE:
Release notes | CKEditor.com
" Please note that this release is a part of CKEditor 4 Extended Support Model, only available to customers who decided to acquire the LTS (Long Term Support) version of the editor. All editor versions below 4.24.0-lts can no longer be considered as secure! "

tmortagne · February 7, 2024, 4:28pm

Thanks for the warning @TomTheWise, looks like it started today, and it seems to show up on a pretty wide range of XWiki versions…

We need to see how we are going to handle that, starting with understand if XWiki really is impacted by those vulnerabilities (seems to be mostly about Cross-site scripting (XSS) vulnerability caused by incorrect CDATA detection · Advisory · ckeditor/ckeditor4 · GitHub). It’s not really my area of expertise, but we should have the answer quickly.

watery · February 7, 2024, 4:42pm

Thanks, just confirmed on our instance too

I hope CKE allows the check to be be disabled somewehere.

lucaa · February 7, 2024, 6:05pm

Hello all,

apparently the check of the version of the editor is a new configuration option, described here Class Config (CKEDITOR.config) | CKEditor 4 API docs .

It was added in CKEditor version 4.22.0; XWiki upgraded to CKEditor 4.22.1 in this ticket Loading... .

From what I tested and from what I understand from the ckeditor configuration, the check itself can be disabled by adding:

config.versionCheck = false;

in the CKEditor configuration in XWiki in the administration in the advanced section of the editor configuration: https://extensions.xwiki.org/xwiki/bin/view/Extension/CKEditor%20Integration/#HAdministrationSection .

This will disable the warning because it will prevent the editor from checking its own version, but it will not fix the version of the editor in any way.

Hope this helps,
Anca

watery · February 7, 2024, 6:23pm

lucaa:

From what I tested and from what I understand from the ckeditor configuration, the check itself can be disabled by adding:
config.versionCheck = false;
in the CKEditor configuration in XWiki in the administration in the advanced section of the editor configuration: https://extensions.xwiki.org/xwiki/bin/view/Extension/CKEditor%20Integration/#HAdministrationSection .

Wow, thanks. That was really quick!

Of course, but my users would have no way to fix this on their own, so there’s no real point in having them to see the warning.

vmassol · February 8, 2024, 9:03am

FTR @mflorea has found why this warning started to be displayed yesterday:

The HTTP request to https://cke4.ckeditor.com/ckeditor4-secure-version/versions.json?v=4.22.1 was failing before yesterday, because it was cross domain and cke4.ckeditor.com didn’t provide the right CORS HTTP headers. CKSource decided to “fix” this yesterday, thus enabling the warning. I can clearly see
access-control-allow-origin: *
in the response headers.

vmassol · February 8, 2024, 9:07am

It’s now been fixed in Loading...

RensDuijsens · February 8, 2024, 1:16pm

Where (on linux) to find the config-file.
Which config file? There are many.

tmortagne · February 8, 2024, 1:26pm

Not sure why you mention a configuration file. You might want to look at the previous message from @lucaa.

guihin · February 8, 2024, 2:54pm

Thank you very much!
It seems to be necessary to change the configuration in every Sub-Wiki, not only in the Main-Wiki.

guihin · February 8, 2024, 3:06pm

It’s within the XWiki-Administration page (for every Sub-Wiki separately). Look at WYSIWYG Editor Section an Advanced Configurations…

mflorea · February 9, 2024, 8:06am

Yes, but it should be possible to write a script that updates the config (CKEditor.Config page) in all wikis.

mflorea · February 9, 2024, 11:38am

@gdelhumeau was kind to publish a snippet with the Groovy code he used to update the CKEditor configuration on all (sub)wikis from an XWiki instance he’s managing. See https://snippets.xwiki.org/xwiki/bin/view/Extension/Update%20CKEditor%20configuration%20on%20all%20wikis/ .

Thanks,
Marius

vmassol · February 9, 2024, 1:28pm

I also wanted to mention that we’ve analyzed the 3 security issues fixed by CKEditor in their private version 4.24.0 and they don’t affect XWiki.

TomTheWise · February 9, 2024, 7:31pm

Just out of curiosity, is there an plan on a timeline to when to decide on the new editor?
I just checked the page you guys made, WOW a lot of new informmation since I last saw that page in in november.
https://design.xwiki.org/xwiki/bin/view/Proposal/RichEditorRealtimeEditing

vmassol · February 12, 2024, 12:54pm

No precise timeline yet. The exploration is being done in the context of Cristal. For the selection, I’d say mid of the year but the implement will take time. Maybe have a first version before the end of the year.

See https://design.xwiki.org/xwiki/bin/view/Proposal/RichEditorRealtimeEditing for the work that was started.