phplist3 icon indicating copy to clipboard operation
phplist3 copied to clipboard

Published 20 hours ago verified publisher icon phpList

The obsolete and insecure CKEditor 4 CDN should be replaced with an offline v5 version or replaced with a newer CDN editor

Open lwcorp opened this issue 10 months ago • 5 comments

Steps to reproduce Edit a campaign

Required result Get no warnings and don't risk your server.

Actual outcome

This CKEditor 4 version is not secure. Consider upgrading to the latest one. For more details, please check the browser console.

Image

The browser console produces:

This CKEditor 4.5.7 version is not secure. Consider upgrading to the latest one, 4.25.0-lts: https://ckeditor.com/ckeditor-4-support/

Image

Additional info v4.5.7 is from almost a decade ago...while the latest free v4 is 4.22.1 which already became obsolete too. But v5's free CDN version is limited to 1,000 editor loads per month.

  • You can ditch the CDN usage and instead include a free modern version of CKEditor in phpList's own installation, just like phpList already contains PHPMailer (and possibly other external utilities) in its admin folder. They even have an optional form for it.
  • Otherwise, move to another free CDN editor. Some examples might be found in https://en.wikipedia.org/wiki/Template:HTML_editors under Open-source=>Web-based, for example ACE (see Loading Ace from a CDN in Embedding Ace in Your Site).

Interim solution As per https://discuss.phplist.org/t/ckeditor-shows-warning-message-about-being-insecure/9621:

  1. Make sure you have the latest CKEditor plugin (if needed, upgrade manually using https://github.com/bramley/phplist-plugin-ckeditor/archive/master.zip)
  2. Use the last unlimited free CDN version in the settings: //cdn.ckeditor.com/4.22.1/full/ckeditor.js Image

This should buy some time, but it's not unlikely they'll remove this support one day (possibly when the commercial CKEditor 4 LTS version becomes obsolete too in December 2026).

lwcorp avatar Jan 16 '25 13:01 lwcorp

This issue has been mentioned on phpList Discuss. There might be relevant details there:

https://discuss.phplist.org/t/ckeditor-shows-warning-message-about-being-insecure/9621/6

phpListDockerBot avatar Jan 16 '25 14:01 phpListDockerBot

Yes, that needs updating.

michield avatar Jan 18 '25 10:01 michield

@bramley can I just check? I think this warrants a new plugin "CKeditor5". Are you working on that, or shall I get going?

michield avatar Jan 18 '25 11:01 michield

The CKEditor 5 is not compatible with CKEditor 4 so it is not a case of simply "upgrading" it. I have had a go at modifying the plugin but it wasn't straightforward. I hacked something together using code samples from the documentation that does display the CKEditor 5 but it doesn't include a file manager to upload and select images. I don't know how or even if the kcfinder file manager can be incorporated. That too is obsolete.

Image

I am actually quite happy using the current plugin with CKEditor 4 as it meets my needs. Also, because phplist uses CKEditor only within the admin interface and also in a very restricted way I think that the security issues are minimal.

bramley avatar Jan 18 '25 12:01 bramley

Are plugins auto updated? If not, maybe consider for the time being to at least present administrators a link to both update the plugin and the URL of ckeditor.js.

But again, all of this just buys time. CKEditor is likely to eventually drop that v4 URL altogether.

lwcorp avatar Jan 19 '25 16:01 lwcorp

ckeditor 5 is now in release 3.7.0-RC2

If you can verify and report issues on #1087 that would be great

michield avatar Jun 23 '25 20:06 michield