Froala 4.1.4 Release: XSS Vulnerability, Enhancements

Froala 4.1.4 release

We are excited to share Froala version 4.1.4, addressing security vulnerabilities, improving stability, boosting performance, and delivering an enhanced user experience. Update now and enjoy a better Froala. Our commitment to the safety and satisfaction of all users remains our top priority.

Key Highlights

This release comes with several improvements and enhancements. Let’s take a look at the key highlights:

  • Resolving XSS vulnerabilities
  • Froala’s Sticky Toolbar is Now Working as Expected
  • Enter a Custom Text Color and Background Colors are Now Fixed
  • and More.

Froala 4.1.4 release

Let’s dig deep into the most significant changes in this release.

Resolving XSS vulnerabilities

There were three cross-site scripting (XSS) vulnerabilities reported by the CVE program. These vulnerabilities are:

  • CVE-2023-41592: A Cross-site scripting (XSS) vulnerability in Froala Editor v.4.1.1 allows attackers to manipulate the preview text when inserting a link in the document, allowing the insertion of XSS codes.
  • CVE-2023-43263: A Cross-site scripting (XSS) vulnerability in Froala Editor v.4.1.1 allows attackers to execute arbitrary code via the Markdown component.
  • CVE-2023-42426: A Cross-site scripting (XSS) vulnerability in Froala Froala Editor v.4.1.1 allows remote attackers to execute arbitrary code via the ‘Insert link’ parameter in the ‘Insert Image’ component.

The technical team modified the editor code to prevent hackers from using these vulnerabilities to attack the editor users and ensure the security of the Froala Editor. Examples of such attacks are

  • The attacker can alter the content of the page viewed by the user.
  • An attacker could lead you to a fraudulent website.
  • Attackers can obtain information through malicious input and fake forms.
  • Others.

Update to Froala 4.1.4 today and ensure a secure environment for your content to thrive. making sure your content stays safe and your users are protected

Froala’s Sticky Toolbar is Now Working as Expected

Unfortunately, some users have encountered problems using Froala’s Sticky toolbar since version 4.0.18. By setting the toolbarSticky  API option to true, users expected the toolbar to stick to the editor when scrolling. However, this feature was not functioning as expected in previous versions. We are happy to announce that in Froala 4.1.4, we have fixed this issue. Now, when the `toolbarSticky` option is enabled, the toolbar will remain visible while scrolling down the page. This feature enhances the user experience and makes it easier for users to access the toolbar while working with the editor. Update to Froala 4.1.4 now and enjoy this fixed feature.

Here is an example of a Froala with a Sticky Toolbar.

Enter a Custom Text Color and Background Colors are Now Fixed

When selecting text in Froala Editor to apply a text or background color, a color picker appears with user-defined colors and input to enter a custom Hex code. However, in older versions, when a user enters a color Hex code into the Froala input, the text selection is removed resulting in the color not being applied after clicking the “submit” button.

Froala color picker

This issue has been fixed in Froala 4.1.4. This fix ensures that users can easily customize the appearance of their content.

And More

By upgrading to the 4.1.4 release, you will also enjoy the following fixes:

  1. Fix the cursor jumping during editing within a table.
  2. Fix scrolling issues in specific scenarios, such as
    • A scrolling issue when pressing Enter while the ENTER_BR option is enabled.
    • A scrolling issue when pasting large content containing images while the editor height is set to a fixed value.

All these improvements and more come together to make an already powerful WYSIWYG editor even better. Please find the complete changelog list here.

It’s time to update!

Don’t miss out on the benefits of the latest Froala 4.1.4 release. Update today and experience a safer, more efficient, and smoother content editing platform.

If you are using a plain JavaScript library or other framework, check the get started page to know the proper way of downloading the latest Froala Editor release and how to include it in your project based on your preferred method.

If you are using a plain JavaScript library or other framework, follow the table below to learn how to download the latest Froala Editor release and how to include it in your project based on your preferred method.

Method How to download Include in your project
CDN
<!-- Include Editor stylesheet-->
<link href="https://cdn.jsdelivr.net/npm/[email protected]/css/froala_editor.pkgd.min.css" rel="stylesheet" type="text/css" />

<!-- Include Editor JavaScript file-->
<script type="text/javascript" src="https://cdn.jsdelivr.net/npm/[email protected]/js/froala_editor.pkgd.min.js"></script>
CDN (Always the latest version)
<!-- Include Editor stylesheet-->
<link href="https://cdn.jsdelivr.net/npm/froala-editor@latest/css/froala_editor.pkgd.min.css" rel="stylesheet" type="text/css" />

<!-- Include Editor JavaScript file-->
<script type="text/javascript" src="https://cdn.jsdelivr.net/npm/froala-editor@latest/js/froala_editor.pkgd.min.js"></script>
NPM
npm install froala-editor
<!--

Replace the {download-folder-path} in the following example with the path to the folder containing the stylesheet file e.g.

../css/froala_editor.pkgd.min.js

-->

<link href="{download-folder-path}/froala_editor.pkgd.min.css" rel="stylesheet" type="text/css" />

<!--

Replace the {download-folder-path} with the path to the folder containing the JS file e.g.

../js/froala_editor.pkgd.min.js

-->

<script type="text/javascript" src="{download-folder-path}/froala_editor.pkgd.min.js"></script>
bower
bower install froala-wysiwyg-editor
NO Package Manager Download Froala WYSIWYG Editor files using the download form here.
Integrated with a Framework Select your preferred framework from 17 different popular frameworks.
Other options Check here for other options to use Froala WYSIWYG Editor in your project.

For Froala Editor Version 2 Users:

Follow this migration guide to get step-by-step instructions on how to upgrade from version 2.

Try The Latest Froala Editor

Explore a variety of examples that demonstrate the functionality of the Froala HTML Editor.

Support and Feedback

We are dedicated to always offering the best possible experience for all our users. We believe this release, meant to enhance Typescript support, is a stepping stone towards that commitment. We encourage you to try this improved Typescript support and give us your valuable feedback. Your input is crucial for delivering continuous enhancement in meeting your evolving needs. Thank you for being a valuable part of our vibrant and growing community.
We would like to hear what you think of the latest release! Join us on our GitHub Community to chat with our product manager, developers, and other members of the Froala team.

Change Log

Get Started

  • You can download and start using Froala in less than five minutes following our get started guide.

Technical Questions

Froala Blog Call To Action

Posted on December 8, 2023

Mostafa Yousef

Senior web developer with a profound knowledge of the Javascript and PHP ecosystem. Familiar with several JS tools, frameworks, and libraries. Experienced in developing interactive websites and applications.

No comment yet, add your voice below!


Add a Comment

Your email address will not be published.

    Hide Show