ckeditor5 icon indicating copy to clipboard operation
ckeditor5 copied to clipboard
verified publisher icon ckeditor

Obnoxious interstitial "security notice" obscures the editor

Open aembler opened this issue 2 years ago • 5 comments

📝 Provide detailed reproduction steps (if any)

  1. Open the editor.

✔️ Expected result

I would get the editor and be able to edit the proper text.

❌ Actual result

I am blocked with specious, obnoxious fearmongering and a blatant, unprofessional plug for an LTS version that is absolutely unnecessary.

image

❓ Possible solution

I see two possible solutions.

  1. License CKEditor 5 on terms that we could actually use and include it on our open source project.

(or)

  1. Switch to an alternate editor immediately.

aembler avatar Feb 07 '24 23:02 aembler

Hi @aembler,

The message appeared in CKEditor 4 not in CKEditor 5 (this is an issue tracker of CKEditor 5).

CKEditor 4 was sunsetted in June 2023. We used all the possible communication channels to notify everyone that the project would no longer be maintained.

The ckeditor.com website contained the information that CKEditor 4 is going EOL in 2023 starting from the end of 2019. When we got closer to the deadline, we sent an email to all newsletter subscribers, published a blog post in March 2023 and mentioned the end of life in the changelog file of CKEditor 4 in June 2023: https://github.com/ckeditor/ckeditor4/blob/master/CHANGES.md#ckeditor-4220--4221 In the same changelog file, we explained the editor will notify when it stops being secure (to protect users from integrators who forget to keep their systems up to date and safe).

Additionally, we updated the README file of the project as well as the description of the npm package to again increase the awareness that the project is no longer maintained and will become insecure sooner or later.

We did everything we could to reach out to all CKEditor 4 users with the information that they should migrate to another version of CKEditor, or switch to CKEditor 4 LTS, effectively giving much more than 6 months to react.

What happened yesterday was inevitable, we got a security report from one of our customers, and we issued a security update to CKEditor 4 LTS. From now on, the last open-source version is officially insecure.

As a software vendor, it is our responsibility to make sure that everyone who is using vulnerable software is aware of it. There have been months/years to take appropriate actions and replace/upgrade CKEditor 4 that went out of support.

License CKEditor 5 on terms that we could actually use and include it on our open source project.

We have a solution for that - depending on the type of your project you may qualify for the “Free for Open Source” license that grants the license compatible with any open-source project. All it requires is contacting us. It’s public information explained in https://ckeditor.com/legal/ckeditor-oss-license/

wwalc avatar Feb 08 '24 09:02 wwalc

I'm confused. Version 4.21.0 is now reported as being secure.

image

FlowIT-JIT avatar Feb 12 '24 11:02 FlowIT-JIT

@FlowIT-JIT TL;DR: that’s an intentional behavior since Friday (Feb, 9th) - we disabled the notification, it’s not an error.

Longer explanation:

We have a very limited way of communicating and influencing self-hosted installations of CKEditor 4, basically what we have only in our hands is that simple (configurable) system designed to render a notification based on the information passed in the JSON response from the server.

We watched closely how showing the notification impacted the existing systems and decided to temporarily turn off the notification to give all integrators time to react. It was only possible by sending an incorrect JSON response (with version 4.21 marked as secure) that will make the open-source version think that the editor is still secure.

As I mentioned in my initial reply, we tried all communication channels to notify about the end-of-life of CKEditor 4, that’s why we decided to use this way of communication to make sure everyone is aware of using a product that reached end-of-life over 6 months ago and has known security issues.

We are still debating internally when to turn this notification on again. I can say we will not do this sooner than on April, 2nd. The exact date and communication plan are discussed.

wwalc avatar Feb 12 '24 16:02 wwalc

@wwalc Hi,

Thank you for taking the time to explain this in greater detail, I appreciate that - thanks 😊

FlowIT-JIT avatar Feb 13 '24 07:02 FlowIT-JIT

There has been no activity on this issue for the past year. We've marked it as stale and will close it in 30 days. We understand it may still be relevant, so if you're interested in the solution, leave a comment or reaction under this issue.

CKEditorBot avatar Nov 21 '25 23:11 CKEditorBot