Skip to main content
D
dannym22968722
Participating Frequently
November 24, 2021
Question

Manual update of CKEditor Coldfusion 2021

  • November 24, 2021
  • 3 replies
  • 2126 views

My internal security scans are still going nuts when scanning the Coldfusion server in regard to CKEditor.  Is there a manual way to upgrade from the installed 4.10 to at least the 4.16 version to plug a bunch of holes?  Or even better the current 4.17 version on the 4.X stack.

    This topic has been closed for replies.

    3 replies

    altascene
    altascene
    Inspiring
    December 9, 2021

    We are seeing this as an issue on our 2018 installations, as well.  Sorry to hear that manually moving up to a newer version isn't a practical solution.  With CKEditor at v5, and this an issue in 2021, I don't hold out hope for a resolution for our environment.

    altascene
    altascene
    Inspiring
    December 9, 2021

    We aren't using the CKEditor upload feature.  Is there a way to disable it?

      Charlie Arehart
      Community Expert
      Charlie ArehartCommunity Expert
      Community Expert
      October 6, 2022

      I realize this question (about removing fileupload capabilities from ckeditor) is now several months old, but if you're still interested (@altascene), are you aware first that CF prevents file uploads to CF from that by default? See the file settings.cfm (in [cf]\cfusion\wwwroot\cf_scripts\scripts\ajax\ckeditor\, which has this line:

      <cfset settings.AllowUploads = "false">

      That defaults to false for CF2021, 2018, and 2016 (CF11 had used fckeditor).

       

      Or if you may mean you want to remove the upload elements from the UI (such as in cftextarea richtext="true"), I'll note first that I don't find it appearing in CF2021, but if you do see it, you should be able to remove it by editing the config.js (in [cf]\cfusion\wwwroot\cf_scripts\scripts\ajax\ckeditor\) and using its removeDialogTabs setting:

      config.removeDialogTabs = 'link:upload;image:Upload';

      which is discussed a bit more in the ckeditor config docs here.  If that helps (or does not), let us know. If you've moved on and are no longer concerned about the matter, I hope it may help future readers (and I'm open to correction if I have anything wrong).

      /Charlie (troubleshooter, carehart. org)
      azoner2965
      azoner2965
      New Participant
      November 30, 2021

      We have the same issue.

      BKBK
      Community Expert
      BKBKCommunity Expert
      Community Expert
      November 28, 2021

      Your worries are justified. Especially given the CKEditor vulnerability discovered some years ago. However, even if you could manually update CKEditor, I would discourage you from doing so. 

       

      CKEditor is integrated in ColdFusion. There might be dependencies that you're unaware of. If you tampered with the CKEditor installation, you might break more things than you fix.

       

      ColdFusion is a service. So, where necessary, the service-provider is best placed to do the update. Make a ColdFusion 2021 Feature Request.  After all, as the vulnerability proved, what you want is in Adobe's best interest. 

      Terms & ConditionsAccessibility statement
      Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices