[BUGFIX] Upgrade to CKEditor4 v4.18.0 (27dd2d1a) · Commits · TYPO3 / TYPO3.CMS

Commit 27dd2d1a authored 3 years ago by

Oliver Hader Committed by Benni Mack 3 years ago

[BUGFIX] Upgrade to CKEditor4 v4.18.0

Recent CKEditor4 v4.18.0 addressed several vulnerabilities:
* CVE-2022-24728 (XSS via attributes & comments)
* CVE-2022-24729 (reDoS via Dialog Plugin API)
* see https://ckeditor.com/cke4/release/CKEditor-4.18.0 for details

Mentioned known vulnerabilities are not considered relevant for the
TYPO3 backend user interface. By-passing CKEditor's XSS protection
allows to persist malicious markup in database fields, which is
mitigated during frontend rendering by typo3/html-sanitizer.

That's why this issue is handled as regular bugfix.

Executed commands:
  cd Build/
  nvm use
  yarn add ckeditor4@^4.18.0
  rm -r ../typo3/sysext/rte_ckeditor/Resources/Public/JavaScript/Contrib/
  yarn exec grunt build

Resolves: #97239
Releases: main, 11.5, 10.4
Change-Id: I3be12120c316b334e7efd237d0300e6d3cd165a8
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74058


Tested-by: core-ci <typo3@b13.com>
Tested-by: Stefan Bürk <stefan@buerk.tech>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Stefan Bürk <stefan@buerk.tech>
Reviewed-by: Benni Mack <benni@typo3.org>

parent 2e83b410

Branches