Obnoxious interstitial "security notice" obscures the editor #15811
Comments
|
Hi @aembler, The message appeared in CKEditor 4 not in CKEditor 5 (this is an issue tracker of CKEditor 5). CKEditor 4 was sunsetted in June 2023. We used all the possible communication channels to notify everyone that the project would no longer be maintained. The ckeditor.com website contained the information that CKEditor 4 is going EOL in 2023 starting from the end of 2019. When we got closer to the deadline, we sent an email to all newsletter subscribers, published a blog post in March 2023 and mentioned the end of life in the changelog file of CKEditor 4 in June 2023: https://github.com/ckeditor/ckeditor4/blob/master/CHANGES.md#ckeditor-4220--4221 Additionally, we updated the README file of the project as well as the description of the npm package to again increase the awareness that the project is no longer maintained and will become insecure sooner or later. We did everything we could to reach out to all CKEditor 4 users with the information that they should migrate to another version of CKEditor, or switch to CKEditor 4 LTS, effectively giving much more than 6 months to react. What happened yesterday was inevitable, we got a security report from one of our customers, and we issued a security update to CKEditor 4 LTS. From now on, the last open-source version is officially insecure. As a software vendor, it is our responsibility to make sure that everyone who is using vulnerable software is aware of it. There have been months/years to take appropriate actions and replace/upgrade CKEditor 4 that went out of support.
We have a solution for that - depending on the type of your project you may qualify for the “Free for Open Source” license that grants the license compatible with any open-source project. All it requires is contacting us. It’s public information explained in https://ckeditor.com/legal/ckeditor-oss-license/ |
|
I'm confused. Version 4.21.0 is now reported as being secure.
|
|
@FlowIT-JIT TL;DR: that’s an intentional behavior since Friday (Feb, 9th) - we disabled the notification, it’s not an error. Longer explanation: We have a very limited way of communicating and influencing self-hosted installations of CKEditor 4, basically what we have only in our hands is that simple (configurable) system designed to render a notification based on the information passed in the JSON response from the server. We watched closely how showing the notification impacted the existing systems and decided to temporarily turn off the notification to give all integrators time to react. It was only possible by sending an incorrect JSON response (with version 4.21 marked as secure) that will make the open-source version think that the editor is still secure. As I mentioned in my initial reply, we tried all communication channels to notify about the end-of-life of CKEditor 4, that’s why we decided to use this way of communication to make sure everyone is aware of using a product that reached end-of-life over 6 months ago and has known security issues. We are still debating internally when to turn this notification on again. I can say we will not do this sooner than on April, 2nd. The exact date and communication plan are discussed. |
|
@wwalc Hi, Thank you for taking the time to explain this in greater detail, I appreciate that - thanks 😊 |
📝 Provide detailed reproduction steps (if any)
✔️ Expected result
I would get the editor and be able to edit the proper text.
❌ Actual result
I am blocked with specious, obnoxious fearmongering and a blatant, unprofessional plug for an LTS version that is absolutely unnecessary.
❓ Possible solution
I see two possible solutions.
(or)
The text was updated successfully, but these errors were encountered: