The latest open-source CKEditor4 release has security vulnerabilities.
Wasn’t able to find any information about the strategy of xWiki to handle the CKEditor Integration extension development.
What is the official statement of xWiki community?
Is there any way to upgrade CKEditor or use other alternative?
Do you plan to migrate to CKEditor5 in next releases?
The migration might be complicated and some of the features are available only with paid license…
so @mflorea would probably give you better answers, but short answer is no we don’t use CKEditor 4 - LTS but latest version of CKEditor which reached end of life support.
You can see a big discussion on Hi! Have any plan to use ckeditor 5 in XWiki? about the difficulty to migrate to CKEditor 5. We’re actively working on finding an alternative, you can check Choice of editor, we’re using Cristal development as a playground to also take a decision for the future editor in XWiki.
We’re not aware that the known vulnerabilities would affect the usage of CKEditor 4 in XWiki. We’re currently exploring replacing CKEditor by BlockNote by experimenting with it in Cristal, but it will take time to fully replace it in XWiki.
They let users to use LTS version of CKEditor4 with updates guaranted till december 2028.
Or at least some guide how to replace the built-in OSS version with the LTS might help.
To be honest, it is affecting the trust in your community.
Could you at least make it visible somewhere or warn users in some way?
There are 4-5 CVE’s affecting the oss CKEditor4, two of them of CVSS score 6+. Not sure which of them are affecting xWiki.
So, I understand that CK4 ES requires a license to work. I guess it would mean some way to register a CK4 ES license in XWiki (either in the Admin UI or somewhere in the filesystem).
Is it open source? Could it be legally bundled in some XWiki distribution?
Does this mean that CKSource still supports CK4 (through this CK4 ES distribution) and currently releases new versions regularly. And “provide support to the community” would mean allowing XWiki to bundle CK4 ES in its distribution? Or does it mean something else?
if it’s closed source then we can’t use it in XWiki (nor distribute it).
What we could do is provide some doc so that users know how to replace the open source CK4 version bundled in XWiki with the closed-source CK4 ES version.
Understand, may confirm that with CKSource once more.
At least some sort of extension as an “framework” to simplify the replacement might help. Meaning, the xWiki will not distribute the byte-code, just functionality for replacement the built-in version.