UPDATE: JCE Pro 2.9.1 has been released to fix a bug where pressing backspace in the editor when editing specific content would cause the browser to hang.
This update consolidates and builds on the new features and enhancements introduced in JCE Pro 2.8 and includes a number of new features of its own, as well as the usual stash of bug fixes.
Primarily aimed at power users and site admins, the new features include a new way to manage code in the editor with Code Blocks, a Text Editor for editing text-like files such as html, txt, md and json, and options to set restrictions on iframe urls. We've also made some changes to the JCE Admin layout, moving parameter descriptions into inline help boxes, and tweaked some layout stuff to get the editor Joomla 4 ready.
A changelog for this released is available to view here
Thank you to everyone who submitted bug reports and tested development versions. If you find any more issues please submit them on the forum or on github.
This update fixes a number of issues reported since the last release and makes some changes to the way event attributes - eg: onclick, onload etc. - are handled. In addition, an important security update is included to prevent potential cross-site scripting attacks.
Event Attribute Changes
The Rollover effect provided by the Image Manager uses event attributes, and so the Allow Event Attributes will now need to be enabled to use this feature. Existing rollover effects will be protected if the option is not enabled.
A Security Update
An article was recently published which demonstrated that many popular WYSIWYG editors were and are vulnerable to a cross-site scripting attack when pasting content copied from a malicious site, by taking advantage of event attributes in the copied HTML. As JCE uses a version of the Tinymce editor mentioned in the article, it too was vulnerable to this potential exploit. This update fixes the issue by removing all event attributes from pasted content copied from external sources, unless explicitely allowed in the Clipboard parameters.
In addition to this, better processing of HTML comments and media elements, and a fix in the Visual Characters feature , remove other potential instances where similar exploits could be executed by a user.
It should be noted that these issues require the editor to be active, either by a malicious user creating or editing content, or by a user inadvertantly pasting in content from a malicious website. Nevertheless, all users are advised to update to JCE 2.8.15 as soon as possible.