CKEditor support status and future

After investing high amount of time to analysis of CKEditor status in xWiki just discovered:

The latest open-source CKEditor4 release has security vulnerabilities.
Wasn’t able to find any information about the strategy of xWiki to handle the CKEditor Integration extension development.

Is the xWiki using the CKEditor 4 - LTS?
According the installation of xWiki 16.10.5, the CKEditor is of 4.22.1 release.
http://localhost:8080/xwiki/webjars/wiki%3Axwiki/xwiki-platform-ckeditor-webjar/15.10.16/ckeditor.js

What is the official statement of xWiki community?
Is there any way to upgrade CKEditor or use other alternative?
Do you plan to migrate to CKEditor5 in next releases?
The migration might be complicated and some of the features are available only with paid license…

Hi,

so @mflorea would probably give you better answers, but short answer is no we don’t use CKEditor 4 - LTS but latest version of CKEditor which reached end of life support.

You can see a big discussion on Hi! Have any plan to use ckeditor 5 in XWiki? about the difficulty to migrate to CKEditor 5. We’re actively working on finding an alternative, you can check Choice of editor, we’re using Cristal development as a playground to also take a decision for the future editor in XWiki.

Hope that answers your questions.

1 Like

We’re not aware that the known vulnerabilities would affect the usage of CKEditor 4 in XWiki. We’re currently exploring replacing CKEditor by BlockNote by experimenting with it in Cristal, but it will take time to fully replace it in XWiki.

Might it make sense to extend the integration in the way Drupal did?
CKEditor 4 LTS - WYSIWYG HTML editor | Drupal.org

They let users to use LTS version of CKEditor4 with updates guaranted till december 2028.
Or at least some guide how to replace the built-in OSS version with the LTS might help.

To be honest, it is affecting the trust in your community.
Could you at least make it visible somewhere or warn users in some way?

There are 4-5 CVE’s affecting the oss CKEditor4, two of them of CVSS score 6+. Not sure which of them are affecting xWiki.

Let me know in case I can help you some way.

Am just in touch with CKSource (vendor of CKEditor) to get the license for Extended Support for our xWiki instance.

Would anybody from xWiki community be open to work on the provision of CKEditor4 ES module in the xWiki as an Extension?

There is requirement to buy a license to make it work.
CKSource is open for discussion and provide the support to the community.

Once agreed on purchase of the license for our xWiki, we would be open to share our experience.

Hi Peter,

So, I understand that CK4 ES requires a license to work. I guess it would mean some way to register a CK4 ES license in XWiki (either in the Admin UI or somewhere in the filesystem).

Is it open source? Could it be legally bundled in some XWiki distribution?

Does this mean that CKSource still supports CK4 (through this CK4 ES distribution) and currently releases new versions regularly. And “provide support to the community” would mean allowing XWiki to bundle CK4 ES in its distribution? Or does it mean something else?

Thanks

Hi Vincent,
it is “closed-source” and require license provided by the CKSource Holding sp. z o.o..

Yes, it might require some sort of “Admin UI” as developed for CKEditor 4 LTS - WYSIWYG HTML editor | Drupal.org. This module of Drupal is reference for the implementation in xWiki.

The “replacement” of built-in CKEditor4 OSS by the CKEditor4 ES should not be complicated.

Here is the list of 4 CVE’s of CKEditor4 OSS Ckeditor : Security vulnerabilities, CVEs published in 2024. All of them confirmed as fixed in CKEditor4 ES release.

if it’s closed source then we can’t use it in XWiki (nor distribute it).

What we could do is provide some doc so that users know how to replace the open source CK4 version bundled in XWiki with the closed-source CK4 ES version.

Understand, may confirm that with CKSource once more.

At least some sort of extension as an “framework” to simplify the replacement might help. Meaning, the xWiki will not distribute the byte-code, just functionality for replacement the built-in version.