Created: Thursday, 14 July 2022 12:11

This is a maintenance update to fix a few issues reported the last release, including a few bugs affecting content creation in SP PageBuilder.

Note: A bug in SP PageBuilder 3.8.7 appears to affect editing and saving content in Text Addons with JCE Pro. Joomshaper appear to be aware of the issue, which is not present in SP PageBuilder 3.8.6

Created: Thursday, 23 June 2022 17:02

This update fixes an issue where changes to content were not saved if the editor was configured without the Editor, Code and Preview tabs.

Previously, JCE Pro 2.9.25 included some security related changes to the Editor Toggle options and Code Tab in JCE Core.

Toggle Editor Changes

The Toggle Editor button, located on the left above the editor toolbar and usually displayed as a "switch" or "power" icon, turns the editor off and on when clicked. When the editor is off, the textarea field is exposed, displaying the raw HTML content that is submitted when saving. In this state, this HTML content is no longer processed, validated or filtered by the editor anymore in any way when submitted, as if the editor had not been loaded at all. Any further processing of the content is usually done on the server by the Joomla Text Filter, or some other filtering mechanism used by the extension the user is creating the content in.

This highlights the importance of server-side filtering, as with the editor turned off, the potential exists for the content creator to accidentally or maliciously submit content that could create a security or reputational risk for the site. For this reason, the Toggle Editor options are now available in JCE Pro only, and the Toggle Editor switch is disabled and unavailable by default.

It should be noted however that even with content filtering and validation performed by the editor, it is still relatively easy for a malicious user to intercept and alter content while it is being submitted from the browser to the server. 

Server-side filtering, such as that performed by the Joomla Text Filter, should never be disabled or weakened for anonymous or untrusted users. Where server-side filtering affects media embedding, such as with Youtube, Viemo, Spotify, etc. which require iframes (no allowed for the Default Blacklist Text Filter setting), alternative embedding solutions provided by other extensions should be used for anonymous or untrusted users.

JCE Core Code Editor

JCE Core lacks the sophisticated, full featured Code Editor included with JCE Pro, and instead exposes the content textarea for HTML editing when the Code tab is clicked. This update adds validation and filtering to the textarea content when switching tabs, or when the content is submitted for saving.

Created: Wednesday, 22 June 2022 20:52

JCE Pro 2.9.26 has been released to fix issues loading languages, and asset files (scripts and stylesheets) when using the Compression options.

An error when accessing the Code tab in JCE Pro is also fixed.

Created: Wednesday, 22 June 2022 10:45

UPDATE:
JCE Pro 2.9.26 has been released to fix issues loading languages, and asset files (scripts and stylesheets) when using the Compression options.
An error when accessing the Code tab in JCE Pro is also fixed.

This update fixes a few issues reported or discovered since the last release and adds some security related changes to the Editor Toggle options and Code tab in JCE Core.

Toggle Editor Changes

The Toggle Editor button, located on the left above the editor toolbar and usually displayed as a "switch" or "power" icon, turns the editor off and on when clicked. When the editor is off, the textarea field is exposed, displaying the raw HTML content that is submitted when saving. In this state, this HTML content is no longer processed, validated or filtered by the editor anymore in any way when submitted, as if the editor had not been loaded at all. Any further processing of the content is usually done on the server by the Joomla Text Filter, or some other filtering mechanism used by the extension the user is creating the content in.

This highlights the importance of server-side filtering, as with the editor turned off, the potential exists for the content creator to accidentally or maliciously submit content that could create a security or reputational risk for the site. For this reason, the Toggle Editor options are now available in JCE Pro only, and the Toggle Editor switch is disabled and unavailable by default.

It should be noted however that even with content filtering and validation performed by the editor, it is still relatively easy for a malicious user to intercept and alter content while it is being submitted from the browser to the server. 

Server-side filtering, such as that performed by the Joomla Text Filter, should never be disabled or weakened for anonymous or untrusted users. Where server-side filtering affects media embedding, such as with Youtube, Viemo, Spotify, etc. which require iframes (no allowed for the Default Blacklist Text Filter setting), alternative embedding solutions provided by other extensions should be used for anonymous or untrusted users.

JCE Core Code Editor

JCE Core lacks the sophisticated, full featured Code Editor included with JCE Pro, and instead exposes the content textarea for HTML editing when the Code tab is clicked. This update adds validation and filtering to the textarea content when switching tabs, or when the content is submitted for saving.

Created: Friday, 27 May 2022 10:45

This update fixes a bug where a first-time installation of JCE in Joomla 4.1 would fail with an error. In addition, variable values in the File Directory Path would produce a PHP error if the Template Manager was enabled.

A few additional issues with the display of editor tabs in some templates and some issues with Column editing and the Styles list have also been fixed.