Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Warning CKEditor 4.14.0 version is not secure #83

Closed
localhostPIB opened this issue Jul 2, 2024 · 13 comments · Fixed by #84
Closed

Warning CKEditor 4.14.0 version is not secure #83

localhostPIB opened this issue Jul 2, 2024 · 13 comments · Fixed by #84

Comments

@localhostPIB
Copy link

I get the message:" This Consider upgrading to the latest one, 4.24.0-lts."

editor

How to upgrade this version ?
@crlandwe
Copy link

crlandwe commented Jul 2, 2024

+1, you can hide it with css.

@AleksaPetrovicRBT
Copy link

Hello, indeed you can hide it with CSS, but is this the right solution? In my humble opinion, we should (always) aim for the best and secure libraries. This is what is suggested in the release notes by CKEditor. Can you please let me know whether Flask CKEditor has a plan to fix this and what is the ETA?

@localhostPIB
Copy link
Author

+1, you can hide it with css.

You can hide it, but the (potential security) problem remains

@crlandwe
Copy link

crlandwe commented Jul 3, 2024

You can hide it, but the (potential security) problem remains

I obviously agree with this, hence the bump and making myself part of the conversation. This feature was first requested in 2020, and here we are in 2024. I suggested this as a band-aid, because I would have hoards of users submitting support tickets about this.

@localhostPIB
Copy link
Author

localhostPIB commented Jul 3, 2024
edited
Loading

You can hide it, but the (potential security) problem remains

I obviously agree with this, hence the bump and making myself part of the conversation. This feature was first requested in 2020, and here we are in 2024. I suggested this as a band-aid, because I would have hoards of users submitting support tickets about this.

It's certainly not wrong as a quick band-aid, but I hope that there will be a solution that will satisfy us all.

@remyzandwijk
Copy link
Member

When using the CDN (meaning: not loading the CKEditor resources from a local location), it should be possible to override the version by using this in the templates:

{{ ckeditor.load(version='4.24.0-lts') }}

I guess it would be better to have something like app.config['CKEDITOR_VERSION'] = '4.24.0-lts', but that's not the case right now.

@localhostPIB
Copy link
Author

When using the CDN (meaning: not loading the CKEditor resources from a local location), it should be possible to override the version by using this in the templates:

{{ ckeditor.load(version='4.24.0-lts') }}

I guess it would be better to have something like app.config['CKEDITOR_VERSION'] = '4.24.0-lts', but that's not the case right now.

The idea is good, but now there's probably a paid version:

[CKEDITOR]: The license key is missing or invalid.

If you suddenly started to see this message, this may mean you accidentally updated CKEditor 4 to the LTS version (4.23.0 and above). This version of the editor is under commercial terms and requires acquiring an "Extended Support Model" contract - https://ckeditor.com/ckeditor-4-support/

For more information about this error go to https://ckeditor.com/docs/ckeditor4/latest/guide/dev_errors.html#invalid-lts-license-key

@remyzandwijk
Copy link
Member

Right, I was unaware of that. The latest non-LTS version seems to be 4.22.1, released on June 30th 2023. That version has the security issue found in January 2024 I think, so that's not an option.

@localhostPIB
Copy link
Author

When I want to include CKEditor 5 I get the following message on my Browser:

"Uncaught SyntaxError: export declarations may only appear at top level of a module".

This is how I integrated it:

{{ ckeditor.load(custom_url=url_for('static', filename='/js/lib/ckeditor5.js')) }}

@greyli
Copy link
Member

greyli commented Jul 4, 2024
edited
Loading

You can disable the version check with custom_config option like this:

{{ ckeditor.config(name='body', custom_config='versionCheck: false') }}

I will default this option to false in the next fix release, similar to what Django-CKEditor did.

A permanent fix would be upgrading to CKEditor 5, which is currently unsupported. Since CKEditor 5 has changed the license to GPL, I don't think we will move to CKEditor 5.

Hence, for security considerations, you may want to:

  • Upgrade to use the latest non-LTS version (i.e. the last open source release of CKEditor 4: 4.22.1) with {{ ckeditor.load(version='4.22.1') }}, then:
    • Move to the paid CKEditor 4 LTS version
    • Integrate CKEditor 5 directly if you are okay with its GPL license
    • Move to alternative editors or extensions

@localhostPIB
Copy link
Author

A permanent fix would be upgrading to CKEditor 5, which is currently unsupported. Since CKEditor 5 has changed the license to GPL, I don't think we will move to CKEditor 5.

I was afraid of something like this

@ai-abdellah
Copy link

even the version 4.22.1 is not secure.

2024-07-04 15 05 23 192 168 235 129 a03b5c81e575

@greyli greyli mentioned this issue Jul 4, 2024
Merged
@greyli greyli closed this as completed in #84 Jul 4, 2024
@greyli greyli pinned this issue Jul 4, 2024
@greyli
Copy link
Member

greyli commented Jul 4, 2024

In the 1.0.0 version, the version check has been disabled.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Disable version check helloflask/flask-ckeditor
6 participants
@ai-abdellah @greyli @remyzandwijk @localhostPIB @AleksaPetrovicRBT @crlandwe