The obsolete and insecure CKEditor 4 CDN should be replaced with an offline v5 version or replaced with a newer CDN editor

[lwcorp]

Steps to reproduce
Edit a campaign

Required result
Get no warnings and don't risk your server.

Actual outcome

This CKEditor 4 version is not secure. Consider upgrading to the latest one. For more details, please check the browser console.

The browser console produces:

This CKEditor 4.5.7 version is not secure. Consider upgrading to the latest one, 4.25.0-lts: https://ckeditor.com/ckeditor-4-support/

Additional info
v4.5.7 is from almost a decade ago...while the latest free v4 is 4.22.1 which already became obsolete too. But v5's free CDN version is limited to 1,000 editor loads per month.

• You can ditch the CDN usage and instead include a free modern version of CKEditor in phpList's own installation, just like phpList already contains PHPMailer (and possibly other external utilities) in its admin folder. They even have an optional form for it.
• Otherwise, move to another free CDN editor. Some examples might be found in https://en.wikipedia.org/wiki/Template:HTML_editors under Open-source=>Web-based, for example ACE (see Loading Ace from a CDN in Embedding Ace in Your Site).

Interim solution
As per https://discuss.phplist.org/t/ckeditor-shows-warning-message-about-being-insecure/9621:

1. Make sure you have the latest CKEditor plugin (if needed, upgrade manually using https://github.com/bramley/phplist-plugin-ckeditor/archive/master.zip)
2. Use the last unlimited free CDN version in the settings: //cdn.ckeditor.com/4.22.1/full/ckeditor.js
   

This should buy some time, but it's not unlikely they'll remove this support one day (possibly when the commercial CKEditor 4 LTS version becomes obsolete too in December 2026).

[phpListDockerBot]

This issue has been mentioned on phpList Discuss. There might be relevant details there:

https://discuss.phplist.org/t/ckeditor-shows-warning-message-about-being-insecure/9621/6

[michield]

Yes, that needs updating.

[michield]

@bramley can I just check? I think this warrants a new plugin "CKeditor5". Are you working on that, or shall I get going?

[bramley]

The CKEditor 5 is not compatible with CKEditor 4 so it is not a case of simply "upgrading" it. I have had a go at modifying the plugin but it wasn't straightforward. I hacked something together using code samples from the documentation that does display the CKEditor 5 but it doesn't include a file manager to upload and select images. I don't know how or even if the kcfinder file manager can be incorporated. That too is obsolete.

I am actually quite happy using the current plugin with CKEditor 4 as it meets my needs. Also, because phplist uses CKEditor only within the admin interface and also in a very restricted way I think that the security issues are minimal.

[lwcorp]

Are plugins auto updated? If not, maybe consider for the time being to at least present administrators a link to both update the plugin and the URL of ckeditor.js.

But again, all of this just buys time. CKEditor is likely to eventually drop that v4 URL altogether.