Moderate severityNVD Advisory· Published Feb 7, 2024· Updated Feb 13, 2025
CKEditor4 Cross-site scripting (XSS) vulnerability caused by incorrect CDATA detection
CVE-2024-24815
Description
CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-site scripting vulnerability has been discovered in the core HTML parsing module in versions of CKEditor4 prior to 4.24.0-lts. It may affect all editor instances that enabled full-page editing mode or enabled CDATA elements in Advanced Content Filtering configuration (defaults to script and style elements). The vulnerability allows attackers to inject malformed HTML content bypassing Advanced Content Filtering mechanism, which could result in executing JavaScript code. An attacker could abuse faulty CDATA content detection and use it to prepare an intentional attack on the editor. A fix is available in version 4.24.0-lts.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CKEditor4 prior to 4.24.0-lts has a cross-site scripting vulnerability due to faulty CDATA content detection in its HTML parser, bypassing Advanced Content Filtering.
Vulnerability
A cross-site scripting (XSS) vulnerability has been discovered in the core HTML parsing module of CKEditor4 versions prior to 4.24.0-lts. The issue lies in the CDATA content detection logic during parsing. When full-page editing mode is enabled or CDATA elements (such as ` and ` by default) are allowed in Advanced Content Filtering (ACF) configuration, an attacker can inject malformed HTML content that bypasses the ACF mechanism. The faulty CDATA detection allowed malicious content to be processed as raw text, potentially enabling JavaScript execution [1][2].
Exploitation
The vulnerability can be exploited by an attacker who can supply crafted HTML content to an editor instance (e.g., via pasted content, source mode, or editor.setData()). No prior authentication is required if the editor is publicly accessible. The attack surface includes any CKEditor4 instance with full-page mode enabled or with CDATA element support (default for ` and `) [1][2]. The parser failed to properly isolate CDATA sections, and as shown in the fix commit, the logic was corrected to use a closing tag regex and properly handle CDATA boundaries [2].
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the CKEditor4 instance. This can lead to actions such as stealing session cookies, defacing content, or performing actions on behalf of the victim user. The vulnerability directly undermines the protective intent of Advanced Content Filtering, which is designed to limit HTML input to safe content [1].
Mitigation
A fix is available in CKEditor4 version 4.24.0-lts. Users are strongly advised to update to this version. For those using the open-source version, note that CKEditor4 reached end-of-life on June 30, 2023, and only the commercial LTS version receives security updates. If upgrading is not immediately possible, consider disabling full-page editing mode or removing support for CDATA elements in the ACF configuration, but this may not fully mitigate the risk [2][3].
References
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
ckeditor4npm | < 4.24.0-lts | 4.24.0-lts |
ckeditor/ckeditorPackagist | < 4.24.0 | 4.24.0 |
Affected products
5- ghsa-coords4 versionspkg:composer/ckeditor/ckeditorpkg:npm/ckeditor4pkg:rpm/opensuse/python-django-ckeditor&distro=openSUSE%20Leap%2015.5pkg:rpm/suse/python-django-ckeditor&distro=SUSE%20Package%20Hub%2015%20SP5
< 4.24.0+ 3 more
- (no CPE)range: < 4.24.0
- (no CPE)range: < 4.24.0-lts
- (no CPE)range: < 6.7.2-bp155.3.3.1
- (no CPE)range: < 6.7.2-bp155.3.3.1
- ckeditor/ckeditor4v5Range: < 4.24.0-lts
Patches
132 files changed · +662 −112
core/htmlparser.js+20 −15 modified@@ -121,10 +121,7 @@ CKEDITOR.htmlParser = function() { if ( tagIndex > nextIndex ) { var text = html.substring( nextIndex, tagIndex ); - if ( cdata ) - cdata.push( text ); - else - this.onText( text ); + this.onText( text ); } nextIndex = this._.htmlPartsRegex.lastIndex; @@ -142,7 +139,7 @@ CKEDITOR.htmlParser = function() { if ( cdata && CKEDITOR.dtd.$cdata[ tagName ] ) { // Send the CDATA data. - this.onCDATA( cdata.join( '' ) ); + this.onCDATA( cdata ); cdata = null; } @@ -152,20 +149,15 @@ CKEDITOR.htmlParser = function() { } } - // If CDATA is enabled, just save the raw match. - if ( cdata ) { - cdata.push( parts[ 0 ] ); - continue; - } - // Opening tag if ( ( tagName = parts[ 3 ] ) ) { tagName = tagName.toLowerCase(); // There are some tag names that can break things, so let's // simply ignore them when parsing. (https://dev.ckeditor.com/ticket/5224) - if ( /="/.test( tagName ) ) + if ( /="/.test( tagName ) ) { continue; + } var attribs = {}, attribMatch, @@ -186,9 +178,22 @@ CKEDITOR.htmlParser = function() { this.onTagOpen( tagName, attribs, selfClosing ); - // Open CDATA mode when finding the appropriate tags. - if ( !cdata && CKEDITOR.dtd.$cdata[ tagName ] ) - cdata = []; + // CDATA + if ( CKEDITOR.dtd.$cdata[ tagName ] ) { + var closingTagRegex = new RegExp( '<\/' + tagName + '>', 'i' ), + htmlPart = html.substring( nextIndex ), + closingTagIndex = htmlPart.search( closingTagRegex ); + + // If closing tag was not found, treat all remaining text as CDATA. + if ( closingTagIndex === -1 ) { + closingTagIndex = htmlPart.length; + } + + cdata = htmlPart.substring( 0, closingTagIndex ); + + this._.htmlPartsRegex.lastIndex = nextIndex + cdata.length; + nextIndex = this._.htmlPartsRegex.lastIndex; + } continue; }
plugins/autogrow/samples/autogrow.html+22 −0 modified@@ -64,6 +64,28 @@ <h1 class="samples"> <script> CKEDITOR.replace( 'editor1', { + plugins: [ + 'wysiwygarea', + 'sourcearea', + 'clipboard', + 'basicstyles', + 'pastefromword', + 'pastefromlibreoffice', + 'pastefromgdocs', + 'undo', + 'stylescombo', + 'format', + 'font', + 'colorbutton', + 'removeformat', + 'link', + 'list', + 'justify', + 'blockquote', + 'table', + 'tabletools', + 'image' + ], extraPlugins: 'autogrow', removePlugins: 'resize' });
plugins/devtools/samples/devtools.html+22 −0 modified@@ -64,6 +64,28 @@ <h1 class="samples"> // Replace the <textarea id="editor"> with an CKEditor // instance, using default configurations. CKEDITOR.replace( 'editor1', { + plugins: [ + 'wysiwygarea', + 'sourcearea', + 'clipboard', + 'basicstyles', + 'pastefromword', + 'pastefromlibreoffice', + 'pastefromgdocs', + 'undo', + 'stylescombo', + 'format', + 'font', + 'colorbutton', + 'removeformat', + 'link', + 'list', + 'justify', + 'blockquote', + 'table', + 'tabletools', + 'image' + ], extraPlugins: 'devtools' });
plugins/divarea/samples/divarea.html+21 −0 modified@@ -43,6 +43,27 @@ <h1 class="samples"> // Replace the <textarea id="editor"> with an CKEditor // instance, using default configurations. CKEDITOR.replace( 'editor1', { + plugins: [ + 'sourcearea', + 'clipboard', + 'basicstyles', + 'pastefromword', + 'pastefromlibreoffice', + 'pastefromgdocs', + 'undo', + 'stylescombo', + 'format', + 'font', + 'colorbutton', + 'removeformat', + 'link', + 'list', + 'justify', + 'blockquote', + 'table', + 'tabletools', + 'image' + ], extraPlugins: 'divarea' });
plugins/docprops/samples/docprops.html+15 −10 modified@@ -34,18 +34,13 @@ <h1 class="samples"> <pre class="samples"> CKEDITOR.replace( '<em>textarea_id</em>', { <strong>fullPage: true</strong>, - <strong>extraPlugins: 'docprops'</strong>, - <strong>allowedContent: true</strong> -}); + <strong>extraPlugins: 'docprops'</strong> +} ); </pre> <p> Note that <code><em>textarea_id</em></code> in the code above is the <code>id</code> attribute of the <code><textarea></code> element to be replaced. </p> - <p> - The <code><em>allowedContent</em></code> in the code above is set to <code>true</code> to disable content filtering. - Setting this option is not obligatory, but in full page mode there is a strong chance that one may want be able to freely enter any HTML content in source mode without any limitations. - </p> </div> <form action="../../../samples/sample_posteddata.php" method="post"> <label for="editor1"> @@ -59,9 +54,19 @@ <h1 class="samples"> CKEDITOR.replace( 'editor1', { fullPage: true, - extraPlugins: 'docprops', - allowedContent: true - }); + extraPlugins: 'docprops, wysiwygarea', + on: { + contentPreview: function( evt ) { + evt.data.dataValue = '<div style="padding: 1.5em;border: 3px #f00 solid">' + + '<h1>Content Preview was blocked</h1>' + + '<p>To ensure the highest security, the content preview in samples was blocked.</p>' + + '<p>Please refer to our ' + + '<a href="https://ckeditor.com/docs/ckeditor4/latest/guide/dev_best_practices.html#validate-preview-content">' + + 'best practices on security</a> to learn more how to properly configure and secure the content preview.</p>' + + '</div>'; + } + } + } ); </script> <p>
plugins/enterkey/samples/enterkey.html+22 −0 modified@@ -24,6 +24,28 @@ // Create the editor again, with the appropriate settings. editor = CKEDITOR.replace( 'editor1', { + plugins: [ + 'wysiwygarea', + 'sourcearea', + 'clipboard', + 'basicstyles', + 'pastefromword', + 'pastefromlibreoffice', + 'pastefromgdocs', + 'undo', + 'stylescombo', + 'format', + 'font', + 'colorbutton', + 'removeformat', + 'link', + 'list', + 'justify', + 'blockquote', + 'table', + 'tabletools', + 'image' + ], extraPlugins: 'enterkey', enterMode: Number( document.getElementById( 'xEnter' ).value ), shiftEnterMode: Number( document.getElementById( 'xShiftEnter' ).value )
plugins/htmlwriter/samples/outputhtml.html+3 −1 modified@@ -147,7 +147,9 @@ <h1 class="samples"> on: { pluginsLoaded: configureTransformations, loaded: configureHtmlWriter - } + }, + + removePlugins: 'preview, print' }); /*
plugins/image2/samples/image2.html+21 −0 modified@@ -49,6 +49,27 @@ <h1 class="samples"> <script> CKEDITOR.replace( 'editor1', { + plugins: [ + 'wysiwygarea', + 'sourcearea', + 'clipboard', + 'basicstyles', + 'pastefromword', + 'pastefromlibreoffice', + 'pastefromgdocs', + 'undo', + 'stylescombo', + 'format', + 'font', + 'colorbutton', + 'removeformat', + 'link', + 'list', + 'justify', + 'blockquote', + 'table', + 'tabletools' + ], extraPlugins: 'image2', height: 450 } );
plugins/magicline/samples/magicline.html+48 −4 modified@@ -106,9 +106,31 @@ <h1 class="samples"> // window.onload event handler. CKEDITOR.replace( 'editor1', { + plugins: [ + 'wysiwygarea', + 'sourcearea', + 'clipboard', + 'basicstyles', + 'pastefromword', + 'pastefromlibreoffice', + 'pastefromgdocs', + 'undo', + 'stylescombo', + 'format', + 'font', + 'colorbutton', + 'removeformat', + 'link', + 'list', + 'justify', + 'blockquote', + 'table', + 'tabletools', + 'image', + 'horizontalrule' + ], extraPlugins: 'magicline', // Ensure that magicline plugin, which is required for this sample, is loaded. - allowedContent: true // Switch off the ACF, so very complex content created to - // show magicline's power isn't filtered. + extraAllowedContent: 'div{*}' } ); </script> @@ -188,10 +210,32 @@ <h1 class="samples"> // window.onload event handler. CKEDITOR.replace( 'editor2', { + plugins: [ + 'wysiwygarea', + 'sourcearea', + 'clipboard', + 'basicstyles', + 'pastefromword', + 'pastefromlibreoffice', + 'pastefromgdocs', + 'undo', + 'stylescombo', + 'format', + 'font', + 'colorbutton', + 'removeformat', + 'link', + 'list', + 'justify', + 'blockquote', + 'table', + 'tabletools', + 'image', + 'horizontalrule' + ], extraPlugins: 'magicline', // Ensure that magicline plugin, which is required for this sample, is loaded. magicline_color: 'blue', // Blue line - allowedContent: true // Switch off the ACF, so very complex content created to - // show magicline's power isn't filtered. + extraAllowedContent: 'div{*}' }); </script>
plugins/mathjax/samples/mathjax.html+41 −0 modified@@ -25,6 +25,47 @@ <h1 class="samples"> <div class="warning deprecated"> This sample is not maintained anymore. Check out its <a href="https://ckeditor.com/docs/ckeditor4/latest/examples/mathjax.html">brand new version in CKEditor Examples</a>. </div> + <form action="../../../samples/sample_posteddata.php" method="post"> + <div class="description"> + <p> + This editor allows displaying mathematical formulas, enabled by the <strong>Mathjax</strong> plugin. + </p> +<pre class="samples"> +CKEDITOR.replace( '<em>textarea_id</em>', { + extraPlugins: 'mathjax', + mathJaxLib: '<em><URL to the MathJax library></em>' +} );</pre> + </div> + <div id="editor1"> + <p>The following equations are represented in the HTML source code as LaTeX expressions.</p> + <h1>The Cauchy-Schwarz Inequality</h1> + <p><span class="math-tex">\( \left( \sum_{k=1}^n a_k b_k \right)^2 \leq \left( \sum_{k=1}^n a_k^2 \right) \left( \sum_{k=1}^n b_k^2 \right) \)</span></p> + <h1>The probability of getting <span class="math-tex">\(k\)</span> heads when flipping <span class="math-tex">\(n\)</span> coins is</h1> + <p><span class="math-tex">\(P(E) = {n \choose k} p^k (1-p)^{ n-k} \)</span></p> + <p>Finally, while displaying equations is useful for demonstration purposes, the ability to mix math and text in a paragraph is also important. This expression <span class="math-tex">\(\sqrt{3x-1}+(1+x)^2\)</span> is an example of an inline equation. As you see, MathJax equations can be used this way as well, without disturbing the spacing between the lines.</p> + </div> + <script> + + // This call can be placed at any point after the + // <textarea>, or inside a <head><script> in a + // window.onload event handler. + + // Replace the <textarea id="editor"> with an CKEditor + // instance, using default configurations. + CKEDITOR.replace( 'editor1', { + plugins: [ + 'wysiwygarea', + 'sourcearea', + 'clipboard', + 'basicstyles', + 'undo', + 'format' + ], + extraPlugins: 'mathjax', + mathJaxLib: 'https://cdnjs.cloudflare.com/ajax/libs/mathjax/2.7.4/MathJax.js?config=TeX-AMS_HTML' + } ); + + </script> <div id="footer"> <hr> <p>
plugins/placeholder/samples/placeholder.html+22 −0 modified@@ -53,6 +53,28 @@ <h1 class="samples"> <script> CKEDITOR.replace( 'editor1', { + plugins: [ + 'wysiwygarea', + 'sourcearea', + 'clipboard', + 'basicstyles', + 'pastefromword', + 'pastefromlibreoffice', + 'pastefromgdocs', + 'undo', + 'stylescombo', + 'format', + 'font', + 'colorbutton', + 'removeformat', + 'link', + 'list', + 'justify', + 'blockquote', + 'table', + 'tabletools', + 'image' + ], extraPlugins: 'placeholder' });
plugins/sharedspace/samples/sharedspace.html+88 −0 modified@@ -68,6 +68,28 @@ <h3> CKEDITOR.disableAutoInline = true; CKEDITOR.inline( 'inline1', { + plugins: [ + 'wysiwygarea', + 'sourcearea', + 'clipboard', + 'basicstyles', + 'pastefromword', + 'pastefromlibreoffice', + 'pastefromgdocs', + 'undo', + 'stylescombo', + 'format', + 'font', + 'colorbutton', + 'removeformat', + 'link', + 'list', + 'justify', + 'blockquote', + 'table', + 'tabletools', + 'image' + ], extraPlugins: 'sharedspace', removePlugins: 'floatingspace,resize', sharedSpaces: { @@ -77,6 +99,28 @@ <h3> }); CKEDITOR.inline( 'inline2', { + plugins: [ + 'wysiwygarea', + 'sourcearea', + 'clipboard', + 'basicstyles', + 'pastefromword', + 'pastefromlibreoffice', + 'pastefromgdocs', + 'undo', + 'stylescombo', + 'format', + 'font', + 'colorbutton', + 'removeformat', + 'link', + 'list', + 'justify', + 'blockquote', + 'table', + 'tabletools', + 'image' + ], extraPlugins: 'sharedspace', removePlugins: 'floatingspace,resize', sharedSpaces: { @@ -86,6 +130,28 @@ <h3> }); CKEDITOR.appendTo( 'framed1', { + plugins: [ + 'wysiwygarea', + 'sourcearea', + 'clipboard', + 'basicstyles', + 'pastefromword', + 'pastefromlibreoffice', + 'pastefromgdocs', + 'undo', + 'stylescombo', + 'format', + 'font', + 'colorbutton', + 'removeformat', + 'link', + 'list', + 'justify', + 'blockquote', + 'table', + 'tabletools', + 'image' + ], extraPlugins: 'sharedspace', removePlugins: 'maximize,resize', sharedSpaces: { @@ -97,6 +163,28 @@ <h3> ); CKEDITOR.appendTo( 'framed2', { + plugins: [ + 'wysiwygarea', + 'sourcearea', + 'clipboard', + 'basicstyles', + 'pastefromword', + 'pastefromlibreoffice', + 'pastefromgdocs', + 'undo', + 'stylescombo', + 'format', + 'font', + 'colorbutton', + 'removeformat', + 'link', + 'list', + 'justify', + 'blockquote', + 'table', + 'tabletools', + 'image' + ], extraPlugins: 'sharedspace', removePlugins: 'maximize,resize', sharedSpaces: {
plugins/stylesheetparser/samples/stylesheetparser.html+22 −0 modified@@ -57,6 +57,28 @@ <h1 class="samples"> // Replace the <textarea id="editor"> with an CKEditor // instance, using default configurations. CKEDITOR.replace( 'editor1' , { + plugins: [ + 'wysiwygarea', + 'sourcearea', + 'clipboard', + 'basicstyles', + 'pastefromword', + 'pastefromlibreoffice', + 'pastefromgdocs', + 'undo', + 'stylescombo', + 'format', + 'font', + 'colorbutton', + 'removeformat', + 'link', + 'list', + 'justify', + 'blockquote', + 'table', + 'tabletools', + 'image' + ], extraPlugins: 'stylesheetparser', // Stylesheet for the contents.
plugins/tableresize/samples/tableresize.html+22 −0 modified@@ -85,6 +85,28 @@ <h1 class="samples"> // Replace the <textarea id="editor"> with an CKEditor // instance, using default configurations. CKEDITOR.replace( 'editor1', { + plugins: [ + 'wysiwygarea', + 'sourcearea', + 'clipboard', + 'basicstyles', + 'pastefromword', + 'pastefromlibreoffice', + 'pastefromgdocs', + 'undo', + 'stylescombo', + 'format', + 'font', + 'colorbutton', + 'removeformat', + 'link', + 'list', + 'justify', + 'blockquote', + 'table', + 'tabletools', + 'image' + ], extraPlugins: 'tableresize' });
plugins/toolbar/samples/toolbar.html+26 −2 modified@@ -140,13 +140,37 @@ <h2 class="samples">Full toolbar configuration</h2> CKEDITOR.dom.element.createFromHtml( preOutput ).replace( pre ); } ); - CKEDITOR.replace( 'editorCurrent', { height: 100 } ); + CKEDITOR.replace( 'editorCurrent', { + height: 100, + on: { + contentPreview: function( evt ) { + evt.data.dataValue = '<div style="padding: 1.5em;border: 3px #f00 solid">' + + '<h1>Content Preview was blocked</h1>' + + '<p>To ensure the highest security, the content preview in samples was blocked.</p>' + + '<p>Please refer to our ' + + '<a href="https://ckeditor.com/docs/ckeditor4/latest/guide/dev_best_practices.html#validate-preview-content">' + + 'best practices on security</a> to learn more how to properly configure and secure the content preview.</p>' + + '</div>'; + } + } + } ); CKEDITOR.replace( 'editorFull', { // Reset toolbar settings, so full toolbar will be generated automatically. toolbar: null, toolbarGroups: null, removeButtons: null, - height: 100 + height: 100, + on: { + contentPreview: function( evt ) { + evt.data.dataValue = '<div style="padding: 1.5em;border: 3px #f00 solid">' + + '<h1>Content Preview was blocked</h1>' + + '<p>To ensure the highest security, the content preview in samples was blocked.</p>' + + '<p>Please refer to our ' + + '<a href="https://ckeditor.com/docs/ckeditor4/latest/guide/dev_best_practices.html#validate-preview-content">' + + 'best practices on security</a> to learn more how to properly configure and secure the content preview.</p>' + + '</div>'; + } + } } ); function dumpToolbarConfiguration( editor, printGroups ) {
plugins/wysiwygarea/samples/fullpage.html+14 −9 modified@@ -33,18 +33,13 @@ <h1 class="samples"> </p> <pre class="samples"> CKEDITOR.replace( '<em>textarea_id</em>', { - <strong>fullPage: true</strong>, - <strong>allowedContent: true</strong> + <strong>fullPage: true</strong> }); </pre> <p> Note that <code><em>textarea_id</em></code> in the code above is the <code>id</code> attribute of the <code><textarea></code> element to be replaced. </p> - <p> - The <code><em>allowedContent</em></code> in the code above is set to <code>true</code> to disable content filtering. - Setting this option is not obligatory, but in full page mode there is a strong chance that one may want be able to freely enter any HTML content in source mode without any limitations. - </p> </div> <form action="../../../samples/sample_posteddata.php" method="post"> <label for="editor1"> @@ -58,9 +53,19 @@ <h1 class="samples"> CKEDITOR.replace( 'editor1', { fullPage: true, - allowedContent: true, - extraPlugins: 'wysiwygarea' - }); + extraPlugins: 'wysiwygarea', + on: { + contentPreview: function( evt ) { + evt.data.dataValue = '<div style="padding: 1.5em;border: 3px #f00 solid">' + + '<h1>Content Preview was blocked</h1>' + + '<p>To ensure the highest security, the content preview in samples was blocked.</p>' + + '<p>Please refer to our ' + + '<a href="https://ckeditor.com/docs/ckeditor4/latest/guide/dev_best_practices.html#validate-preview-content">' + + 'best practices on security</a> to learn more how to properly configure and secure the content preview.</p>' + + '</div>'; + } + } + } ); </script> <p>
samples/js/sample.js+26 −2 modified@@ -30,10 +30,34 @@ var initSample = ( function() { // Depending on the wysiwygarea plugin availability initialize classic or inline editor. if ( wysiwygareaAvailable ) { - CKEDITOR.replace( 'editor' ); + CKEDITOR.replace( 'editor', { + on: { + contentPreview: function( evt ) { + evt.data.dataValue = '<div style="padding: 1.5em;border: 3px #f00 solid">' + + '<h1>Content Preview was blocked</h1>' + + '<p>To ensure the highest security, the content preview in samples was blocked.</p>' + + '<p>Please refer to our ' + + '<a href="https://ckeditor.com/docs/ckeditor4/latest/guide/dev_best_practices.html#validate-preview-content">' + + 'best practices on security</a> to learn more how to properly configure and secure the content preview.</p>' + + '</div>'; + } + } + } ); } else { editorElement.setAttribute( 'contenteditable', 'true' ); - CKEDITOR.inline( 'editor' ); + CKEDITOR.inline( 'editor', { + on: { + contentPreview: function( evt ) { + evt.data.dataValue = '<div style="padding: 1.5em;border: 3px #f00 solid">' + + '<h1>Content Preview was blocked</h1>' + + '<p>To ensure the highest security, the content preview in samples was blocked.</p>' + + '<p>Please refer to our ' + + '<a href="https://ckeditor.com/docs/ckeditor4/latest/guide/dev_best_practices.html#validate-preview-content">' + + 'best practices on security</a> to learn more how to properly configure and secure the content preview.</p>' + + '</div>'; + } + } + } ); // TODO we can consider displaying some info box that // without wysiwygarea the classic editor may not work.
samples/old/ajax.html+15 −4 modified@@ -19,7 +19,19 @@ return; // Create a new editor inside the <div id="editor">, setting its value to html - var config = {}; + var config = { + on: { + contentPreview: function( evt ) { + evt.data.dataValue = '<div style="padding: 1.5em;border: 3px #f00 solid">' + + '<h1>Content Preview was blocked</h1>' + + '<p>To ensure the highest security, the content preview in samples was blocked.</p>' + + '<p>Please refer to our ' + + '<a href="https://ckeditor.com/docs/ckeditor4/latest/guide/dev_best_practices.html#validate-preview-content">' + + 'best practices on security</a> to learn more how to properly configure and secure the content preview.</p>' + + '</div>'; + } + } + }; editor = CKEDITOR.appendTo( 'editor', config, html ); } @@ -29,7 +41,7 @@ // Retrieve the editor contents. In an Ajax application, this data would be // sent to the server or used in any other way. - document.getElementById( 'editorcontents' ).innerHTML = html = editor.getData(); + document.getElementById( 'editorcontents' ).value = html = editor.getData(); document.getElementById( 'contents' ).style.display = ''; // Destroy the editor. @@ -69,8 +81,7 @@ <h1 class="samples"> Edited Contents: </p> <!-- This div will be used to display the editor contents. --> - <div id="editorcontents"> - </div> + <textarea id="editorcontents" style="width: 100%;min-height: 2em;"></textarea> </div> <div id="footer"> <hr>
samples/old/api.html+10 −0 modified@@ -166,6 +166,16 @@ <h1 class="samples"> doc.getById( 'exec-bold' ).hide(); if ( !ed.getCommand( 'link' ) ) doc.getById( 'exec-link' ).hide(); + }, + + contentPreview: function( evt ) { + evt.data.dataValue = '<div style="padding: 1.5em;border: 3px #f00 solid">' + + '<h1>Content Preview was blocked</h1>' + + '<p>To ensure the highest security, the content preview in samples was blocked.</p>' + + '<p>Please refer to our ' + + '<a href="https://ckeditor.com/docs/ckeditor4/latest/guide/dev_best_practices.html#validate-preview-content">' + + 'best practices on security</a> to learn more how to properly configure and secure the content preview.</p>' + + '</div>'; } } });
samples/old/appendto.html+13 −1 modified@@ -39,7 +39,19 @@ <h1 class="samples"> // Append a CKEditor instance using the default configuration and the // provided content to the <div> element of ID "section1". CKEDITOR.appendTo( 'section1', - null, + { + on: { + contentPreview: function( evt ) { + evt.data.dataValue = '<div style="padding: 1.5em;border: 3px #f00 solid">' + + '<h1>Content Preview was blocked</h1>' + + '<p>To ensure the highest security, the content preview in samples was blocked.</p>' + + '<p>Please refer to our ' + + '<a href="https://ckeditor.com/docs/ckeditor4/latest/guide/dev_best_practices.html#validate-preview-content">' + + 'best practices on security</a> to learn more how to properly configure and secure the content preview.</p>' + + '</div>'; + } + } + }, '<p>This is some <strong>sample text</strong>. You are using <a href="https://ckeditor.com/">CKEditor</a>.</p>' );
samples/old/datafiltering.html+19 −49 modified@@ -13,6 +13,18 @@ <script> // Remove advanced tabs for all editors. CKEDITOR.config.removeDialogTabs = 'image:advanced;link:advanced;creatediv:advanced;editdiv:advanced'; + + CKEDITOR.on( 'instanceCreated', function( evt ) { + evt.editor.on( 'contentPreview',function( evt ) { + evt.data.dataValue = '<div style="padding: 1.5em;border: 3px #f00 solid">' + + '<h1>Content Preview was blocked</h1>' + + '<p>To ensure the highest security, the content preview in samples was blocked.</p>' + + '<p>Please refer to our ' + + '<a href="https://ckeditor.com/docs/ckeditor4/latest/guide/dev_best_practices.html#validate-preview-content">' + + 'best practices on security</a> to learn more how to properly configure and secure the content preview.</p>' + + '</div>'; + } ); + } ); </script> </head> <body> @@ -119,6 +131,13 @@ <h3>How to configure or disable ACF?</h3> <strong>allowedContent: true</strong> } ); </pre> + <p> + Please not that disabling filtering is not recommended + as <strong>it can result in XSS vulnerabilities</strong>. + It is recommended to <a + href="https://ckeditor.com/docs/ckeditor4/latest/guide/dev_best_practices.html#use-acf-in-default-automatic-mode"> + rely on the automatic configuration</a>. + </p> <h2>Beyond data flow: Features activation</h2> <p> @@ -446,55 +465,6 @@ <h1 id="editor5" contenteditable="true"> </script> </div> - <br> - - <div> - <label for="editor7"> - Editor 7: - </label> - <div class="description"> - <p> - This editor is using a custom configuration for <abbr title="Advanced Content Filter">ACF</abbr>. - It's using the <a href="https://ckeditor.com/docs/ckeditor4/latest/guide/dev_disallowed_content.html" rel="noopener noreferrer" target="_blank"> - Disallowed Content</a> property of the filter to eliminate all <code>a</code> and <code>img</code> tags, - while allowing all other tags. - </p> -<pre class="samples"> -CKEDITOR.replace( 'editor7', { - allowedContent: { - // Allow all content. - $1: { - elements: CKEDITOR.dtd, - attributes: true, - styles: true, - classes: true - } - }, - disallowedContent: 'img a' -} ); -</pre> - </div> - <textarea cols="80" id="editor7" name="editor7" rows="10"> - <h1><img alt="Saturn V carrying Apollo 11" class="right" src="assets/sample.jpg"/> Apollo 11</h1> <p><b>Apollo 11</b> was the spaceflight that landed the first humans, Americans <a href="http://en.wikipedia.org/wiki/Neil_Armstrong" title="Neil Armstrong">Neil Armstrong</a> and <a href="http://en.wikipedia.org/wiki/Buzz_Aldrin" title="Buzz Aldrin">Buzz Aldrin</a>, on the Moon on July 20, 1969, at 20:18 UTC. Armstrong became the first to step onto the lunar surface 6 hours later on July 21 at 02:56 UTC.</p> <p>Armstrong spent about <s>three and a half</s> two and a half hours outside the spacecraft, Aldrin slightly less; and together they collected 47.5 pounds (21.5&nbsp;kg) of lunar material for return to Earth. A third member of the mission, <a href="http://en.wikipedia.org/wiki/Michael_Collins_(astronaut)" title="Michael Collins (astronaut)">Michael Collins</a>, piloted the <a href="http://en.wikipedia.org/wiki/Apollo_Command/Service_Module" title="Apollo Command/Service Module">command</a> spacecraft alone in lunar orbit until Armstrong and Aldrin returned to it for the trip back to Earth.</p> <h2>Broadcasting and <em>quotes</em> <a id="quotes" name="quotes"></a></h2> <p>Broadcast on live TV to a world-wide audience, Armstrong stepped onto the lunar surface and described the event as:</p> <blockquote><p>One small step for [a] man, one giant leap for mankind.</p></blockquote> <p>Apollo 11 effectively ended the <a href="http://en.wikipedia.org/wiki/Space_Race" title="Space Race">Space Race</a> and fulfilled a national goal proposed in 1961 by the late U.S. President <a href="http://en.wikipedia.org/wiki/John_F._Kennedy" title="John F. Kennedy">John F. Kennedy</a> in a speech before the United States Congress:</p> <blockquote><p>[...] before this decade is out, of landing a man on the Moon and returning him safely to the Earth.</p></blockquote> <h2>Technical details <a id="tech-details" name="tech-details"></a></h2> <table align="right" border="1" bordercolor="#ccc" cellpadding="5" cellspacing="0" style="border-collapse:collapse;margin:10px 0 10px 15px;"> <caption><strong>Mission crew</strong></caption> <thead> <tr> <th scope="col">Position</th> <th scope="col">Astronaut</th> </tr> </thead> <tbody> <tr> <td>Commander</td> <td>Neil A. Armstrong</td> </tr> <tr> <td>Command Module Pilot</td> <td>Michael Collins</td> </tr> <tr> <td>Lunar Module Pilot</td> <td>Edwin &quot;Buzz&quot; E. Aldrin, Jr.</td> </tr> </tbody> </table> <p>Launched by a <strong>Saturn V</strong> rocket from <a href="http://en.wikipedia.org/wiki/Kennedy_Space_Center" title="Kennedy Space Center">Kennedy Space Center</a> in Merritt Island, Florida on July 16, Apollo 11 was the fifth manned mission of <a href="http://en.wikipedia.org/wiki/NASA" title="NASA">NASA</a>&#39;s Apollo program. The Apollo spacecraft had three parts:</p> <ol> <li><strong>Command Module</strong> with a cabin for the three astronauts which was the only part which landed back on Earth</li> <li><strong>Service Module</strong> which supported the Command Module with propulsion, electrical power, oxygen and water</li> <li><strong>Lunar Module</strong> for landing on the Moon.</li> </ol> <p>After being sent to the Moon by the Saturn V&#39;s upper stage, the astronauts separated the spacecraft from it and travelled for three days until they entered into lunar orbit. Armstrong and Aldrin then moved into the Lunar Module and landed in the <a href="http://en.wikipedia.org/wiki/Mare_Tranquillitatis" title="Mare Tranquillitatis">Sea of Tranquility</a>. They stayed a total of about 21 and a half hours on the lunar surface. After lifting off in the upper part of the Lunar Module and rejoining Collins in the Command Module, they returned to Earth and landed in the <a href="http://en.wikipedia.org/wiki/Pacific_Ocean" title="Pacific Ocean">Pacific Ocean</a> on July 24.</p> <hr/> <p style="text-align: right;"><small>Source: <a href="http://en.wikipedia.org/wiki/Apollo_11">Wikipedia.org</a></small></p> - </textarea> - <script> - - CKEDITOR.replace( 'editor7', { - allowedContent: { - // allow all content - $1: { - elements: CKEDITOR.dtd, - attributes: true, - styles: true, - classes: true - } - }, - disallowedContent: 'img a' - } ); - - </script> - </div> - <div id="footer"> <hr> <p>
samples/old/divreplace.html+12 −1 modified@@ -26,7 +26,6 @@ </style> <script> - // Uncomment the following code to test the "Timeout Loading Method". // CKEDITOR.loadFullCoreTimeout = 5; @@ -66,6 +65,18 @@ editor = CKEDITOR.replace( div ); } + + CKEDITOR.on( 'instanceCreated', function( evt ) { + evt.editor.on( 'contentPreview', function( evt ) { + evt.data.dataValue = '<div style="padding: 1.5em;border: 3px #f00 solid">' + + '<h1>Content Preview was blocked</h1>' + + '<p>To ensure the highest security, the content preview in samples was blocked.</p>' + + '<p>Please refer to our ' + + '<a href="https://ckeditor.com/docs/ckeditor4/latest/guide/dev_best_practices.html#validate-preview-content">' + + 'best practices on security</a> to learn more how to properly configure and secure the content preview.</p>' + + '</div>'; + } ); + } ); </script> </head> <body>
samples/old/inlineall.html+11 −1 modified@@ -21,6 +21,16 @@ var editor = event.editor, element = editor.element; + editor.on( 'contentPreview', function( evt ) { + evt.data.dataValue = '<div style="padding: 1.5em;border: 3px #f00 solid">' + + '<h1>Content Preview was blocked</h1>' + + '<p>To ensure the highest security, the content preview in samples was blocked.</p>' + + '<p>Please refer to our ' + + '<a href="https://ckeditor.com/docs/ckeditor4/latest/guide/dev_best_practices.html#validate-preview-content">' + + 'best practices on security</a> to learn more how to properly configure and secure the content preview.</p>' + + '</div>'; + } ); + // Customize editors for headers and tag list. // These editors don't need features like smileys, templates, iframes etc. if ( element.is( 'h1', 'h2', 'h3' ) || element.getAttribute( 'id' ) == 'taglist' ) { @@ -44,7 +54,7 @@ ]; }); } - }); + } ); </script> <link href="sample.css" rel="stylesheet">
samples/old/inlinebycode.html+13 −1 modified@@ -108,7 +108,19 @@ <h2>Technical details <a id="tech-details" name="tech-details"></a></h2> // We need to turn off the automatic editor creation first. CKEDITOR.disableAutoInline = true; - var editor = CKEDITOR.inline( 'editable' ); + var editor = CKEDITOR.inline( 'editable', { + on: { + contentPreview: function( evt ) { + evt.data.dataValue = '<div style="padding: 1.5em;border: 3px #f00 solid">' + + '<h1>Content Preview was blocked</h1>' + + '<p>To ensure the highest security, the content preview in samples was blocked.</p>' + + '<p>Please refer to our ' + + '<a href="https://ckeditor.com/docs/ckeditor4/latest/guide/dev_best_practices.html#validate-preview-content">' + + 'best practices on security</a> to learn more how to properly configure and secure the content preview.</p>' + + '</div>'; + } + } + } ); </script> <div id="footer"> <hr>
samples/old/inlinetextarea.html+13 −1 modified@@ -97,7 +97,19 @@ <h2>This is a sample form with some fields</h2> </form> <script> - CKEDITOR.inline( 'article-body' ); + CKEDITOR.inline( 'article-body', { + on: { + contentPreview: function( evt ) { + evt.data.dataValue = '<div style="padding: 1.5em;border: 3px #f00 solid">' + + '<h1>Content Preview was blocked</h1>' + + '<p>To ensure the highest security, the content preview in samples was blocked.</p>' + + '<p>Please refer to our ' + + '<a href="https://ckeditor.com/docs/ckeditor4/latest/guide/dev_best_practices.html#validate-preview-content">' + + 'best practices on security</a> to learn more how to properly configure and secure the content preview.</p>' + + '</div>'; + } + } + } ); </script> <div id="footer"> <hr>
samples/old/jquery.html+26 −2 modified@@ -26,8 +26,32 @@ CKEDITOR.disableAutoInline = true; $( document ).ready( function() { - $( '#editor1' ).ckeditor(); // Use CKEDITOR.replace() if element is <textarea>. - $( '#editable' ).ckeditor(); // Use CKEDITOR.inline(). + $( '#editor1' ).ckeditor( { + on: { + contentPreview: function( evt ) { + evt.data.dataValue = '<div style="padding: 1.5em;border: 3px #f00 solid">' + + '<h1>Content Preview was blocked</h1>' + + '<p>To ensure the highest security, the content preview in samples was blocked.</p>' + + '<p>Please refer to our ' + + '<a href="https://ckeditor.com/docs/ckeditor4/latest/guide/dev_best_practices.html#validate-preview-content">' + + 'best practices on security</a> to learn more how to properly configure and secure the content preview.</p>' + + '</div>'; + } + } + } ); // Use CKEDITOR.replace() if element is <textarea>. + $( '#editable' ).ckeditor( { + on: { + contentPreview: function( evt ) { + evt.data.dataValue = '<div style="padding: 1.5em;border: 3px #f00 solid">' + + '<h1>Content Preview was blocked</h1>' + + '<p>To ensure the highest security, the content preview in samples was blocked.</p>' + + '<p>Please refer to our ' + + '<a href="https://ckeditor.com/docs/ckeditor4/latest/guide/dev_best_practices.html#validate-preview-content">' + + 'best practices on security</a> to learn more how to properly configure and secure the content preview.</p>' + + '</div>'; + } + } + } ); // Use CKEDITOR.inline(). } ); function setValue() {
samples/old/readonly.html+12 −2 modified@@ -26,8 +26,18 @@ editor.on( 'readOnly', function() { document.getElementById( 'readOnlyOn' ).style.display = this.readOnly ? 'none' : ''; document.getElementById( 'readOnlyOff' ).style.display = this.readOnly ? '' : 'none'; - }); - }); + } ); + + editor.on( 'contentPreview', function( evt ) { + evt.data.dataValue = '<div style="padding: 1.5em;border: 3px #f00 solid">' + + '<h1>Content Preview was blocked</h1>' + + '<p>To ensure the highest security, the content preview in samples was blocked.</p>' + + '<p>Please refer to our ' + + '<a href="https://ckeditor.com/docs/ckeditor4/latest/guide/dev_best_practices.html#validate-preview-content">' + + 'best practices on security</a> to learn more how to properly configure and secure the content preview.</p>' + + '</div>'; + } ); + } ); function toggleReadOnly( isReadOnly ) { // Change the read-only state of the editor.
samples/old/replacebyclass.html+13 −0 modified@@ -8,6 +8,19 @@ <meta charset="utf-8"> <title>Replace Textareas by Class Name — CKEditor Sample</title> <script src="../../ckeditor.js"></script> + <script> + CKEDITOR.on( 'instanceCreated', function( evt ) { + evt.editor.on( 'contentPreview',function( evt ) { + evt.data.dataValue = '<div style="padding: 1.5em;border: 3px #f00 solid">' + + '<h1>Content Preview was blocked</h1>' + + '<p>To ensure the highest security, the content preview in samples was blocked.</p>' + + '<p>Please refer to our ' + + '<a href="https://ckeditor.com/docs/ckeditor4/latest/guide/dev_best_practices.html#validate-preview-content">' + + 'best practices on security</a> to learn more how to properly configure and secure the content preview.</p>' + + '</div>'; + } ); + } ); + </script> <link rel="stylesheet" href="sample.css"> <meta name="description" content="Try the latest sample of CKEditor 4 and learn more about customizing your WYSIWYG editor with endless possibilities."> </head>
samples/old/replacebycode.html+13 −1 modified@@ -39,7 +39,19 @@ <h1 class="samples"> // Replace the <textarea id="editor"> with an CKEditor // instance, using default configurations. - CKEDITOR.replace( 'editor1' ); + CKEDITOR.replace( 'editor1', { + on: { + contentPreview: function( evt ) { + evt.data.dataValue = '<div style="padding: 1.5em;border: 3px #f00 solid">' + + '<h1>Content Preview was blocked</h1>' + + '<p>To ensure the highest security, the content preview in samples was blocked.</p>' + + '<p>Please refer to our ' + + '<a href="https://ckeditor.com/docs/ckeditor4/latest/guide/dev_best_practices.html#validate-preview-content">' + + 'best practices on security</a> to learn more how to properly configure and secure the content preview.</p>' + + '</div>'; + } + } + } ); </script> <p>
samples/old/tabindex.html+13 −3 modified@@ -29,15 +29,25 @@ // Apply focus class name. editor.on( 'focus', function() { editor.container.addClass( 'cke_focused' ); - }); + } ); editor.on( 'blur', function() { editor.container.removeClass( 'cke_focused' ); - }); + } ); // Put startup focus on the first editor in tab order. if ( editor.tabIndex == 1 ) editor.focus(); - }); + + editor.on( 'contentPreview', function( evt ) { + evt.data.dataValue = '<div style="padding: 1.5em;border: 3px #f00 solid">' + + '<h1>Content Preview was blocked</h1>' + + '<p>To ensure the highest security, the content preview in samples was blocked.</p>' + + '<p>Please refer to our ' + + '<a href="https://ckeditor.com/docs/ckeditor4/latest/guide/dev_best_practices.html#validate-preview-content">' + + 'best practices on security</a> to learn more how to properly configure and secure the content preview.</p>' + + '</div>'; + } ); + } ); </script> </head>
samples/old/uilanguages.html+10 −1 modified@@ -98,9 +98,18 @@ <h1 class="samples"> var languages = document.getElementById( 'languages' ); languages.value = this.langCode; languages.disabled = false; + }, + contentPreview: function( evt ) { + evt.data.dataValue = '<div style="padding: 1.5em;border: 3px #f00 solid">' + + '<h1>Content Preview was blocked</h1>' + + '<p>To ensure the highest security, the content preview in samples was blocked.</p>' + + '<p>Please refer to our ' + + '<a href="https://ckeditor.com/docs/ckeditor4/latest/guide/dev_best_practices.html#validate-preview-content">' + + 'best practices on security</a> to learn more how to properly configure and secure the content preview.</p>' + + '</div>'; } } - }); + } ); } // At page startup, load the default language:
samples/old/xhtmlstyle.html+14 −2 modified@@ -212,8 +212,20 @@ <h1 class="samples"> { name: 'Cited Work', element: 'cite' }, { name: 'Inline Quotation', element: 'q' } - ] - }); + ], + + on: { + contentPreview: function( evt ) { + evt.data.dataValue = '<div style="padding: 1.5em;border: 3px #f00 solid">' + + '<h1>Content Preview was blocked</h1>' + + '<p>To ensure the highest security, the content preview in samples was blocked.</p>' + + '<p>Please refer to our ' + + '<a href="https://ckeditor.com/docs/ckeditor4/latest/guide/dev_best_practices.html#validate-preview-content">' + + 'best practices on security</a> to learn more how to properly configure and secure the content preview.</p>' + + '</div>'; + } + } + } ); </script> </p>
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/advisories/GHSA-fq6h-4g8v-qqvmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-24815ghsaADVISORY
- ckeditor.com/docs/ckeditor4/latest/api/CKEDITOR_dtd.htmlghsax_refsource_MISCWEB
- ckeditor.com/docs/ckeditor4/latest/features/fullpage.htmlghsax_refsource_MISCWEB
- ckeditor.com/docs/ckeditor4/latest/guide/dev_advanced_content_filter.htmlghsax_refsource_MISCWEB
- github.com/ckeditor/ckeditor4/commit/8ed1a3c93d0ae5f49f4ecff5738ab8a2972194cbghsax_refsource_MISCWEB
- github.com/ckeditor/ckeditor4/security/advisories/GHSA-fq6h-4g8v-qqvmghsax_refsource_CONFIRMWEB
- www.drupal.org/sa-contrib-2024-009ghsaWEB
News mentions
0No linked articles in our index yet.