Created: Thursday, 23 June 2022 17:02

This update fixes an issue where changes to content were not saved if the editor was configured without the Editor, Code and Preview tabs.

Previously, JCE Pro 2.9.25 included some security related changes to the Editor Toggle options and Code Tab in JCE Core.

Toggle Editor Changes

The Toggle Editor button, located on the left above the editor toolbar and usually displayed as a "switch" or "power" icon, turns the editor off and on when clicked. When the editor is off, the textarea field is exposed, displaying the raw HTML content that is submitted when saving. In this state, this HTML content is no longer processed, validated or filtered by the editor anymore in any way when submitted, as if the editor had not been loaded at all. Any further processing of the content is usually done on the server by the Joomla Text Filter, or some other filtering mechanism used by the extension the user is creating the content in.

This highlights the importance of server-side filtering, as with the editor turned off, the potential exists for the content creator to accidentally or maliciously submit content that could create a security or reputational risk for the site. For this reason, the Toggle Editor options are now available in JCE Pro only, and the Toggle Editor switch is disabled and unavailable by default.

It should be noted however that even with content filtering and validation performed by the editor, it is still relatively easy for a malicious user to intercept and alter content while it is being submitted from the browser to the server. 

Server-side filtering, such as that performed by the Joomla Text Filter, should never be disabled or weakened for anonymous or untrusted users. Where server-side filtering affects media embedding, such as with Youtube, Viemo, Spotify, etc. which require iframes (no allowed for the Default Blacklist Text Filter setting), alternative embedding solutions provided by other extensions should be used for anonymous or untrusted users.

JCE Core Code Editor

JCE Core lacks the sophisticated, full featured Code Editor included with JCE Pro, and instead exposes the content textarea for HTML editing when the Code tab is clicked. This update adds validation and filtering to the textarea content when switching tabs, or when the content is submitted for saving.

Created: Wednesday, 22 June 2022 20:52

JCE Pro 2.9.26 has been released to fix issues loading languages, and asset files (scripts and stylesheets) when using the Compression options.

An error when accessing the Code tab in JCE Pro is also fixed.

Created: Wednesday, 22 June 2022 10:45

UPDATE:
JCE Pro 2.9.26 has been released to fix issues loading languages, and asset files (scripts and stylesheets) when using the Compression options.
An error when accessing the Code tab in JCE Pro is also fixed.

This update fixes a few issues reported or discovered since the last release and adds some security related changes to the Editor Toggle options and Code tab in JCE Core.

Toggle Editor Changes

The Toggle Editor button, located on the left above the editor toolbar and usually displayed as a "switch" or "power" icon, turns the editor off and on when clicked. When the editor is off, the textarea field is exposed, displaying the raw HTML content that is submitted when saving. In this state, this HTML content is no longer processed, validated or filtered by the editor anymore in any way when submitted, as if the editor had not been loaded at all. Any further processing of the content is usually done on the server by the Joomla Text Filter, or some other filtering mechanism used by the extension the user is creating the content in.

This highlights the importance of server-side filtering, as with the editor turned off, the potential exists for the content creator to accidentally or maliciously submit content that could create a security or reputational risk for the site. For this reason, the Toggle Editor options are now available in JCE Pro only, and the Toggle Editor switch is disabled and unavailable by default.

It should be noted however that even with content filtering and validation performed by the editor, it is still relatively easy for a malicious user to intercept and alter content while it is being submitted from the browser to the server. 

Server-side filtering, such as that performed by the Joomla Text Filter, should never be disabled or weakened for anonymous or untrusted users. Where server-side filtering affects media embedding, such as with Youtube, Viemo, Spotify, etc. which require iframes (no allowed for the Default Blacklist Text Filter setting), alternative embedding solutions provided by other extensions should be used for anonymous or untrusted users.

JCE Core Code Editor

JCE Core lacks the sophisticated, full featured Code Editor included with JCE Pro, and instead exposes the content textarea for HTML editing when the Code tab is clicked. This update adds validation and filtering to the textarea content when switching tabs, or when the content is submitted for saving.

Created: Friday, 27 May 2022 10:45

This update fixes a bug where a first-time installation of JCE in Joomla 4.1 would fail with an error. In addition, variable values in the File Directory Path would produce a PHP error if the Template Manager was enabled.

A few additional issues with the display of editor tabs in some templates and some issues with Column editing and the Styles list have also been fixed.

Created: Tuesday, 24 May 2022 10:16

This update fixes a number of bugs and issues reported or discovered since the last update and adds a few new features to the Template Manager and Styles list.

Template Manager Improvements

The Template Manager plugin, used to create and insert snippets of predefined HTML content, includes two improvements to how it handles dynamic variables in this content. A variable in content is a bit of code that it replaced with a predefined associated value when the content is inserted. A variable can be set in the content using the form: {$key}, where key is any word or phrase. So in the following code, the {$name} variable will be replaced with a predefined Value associated with the Key name:

<h3>{$name}</h3>
<p>Some text</p>

This Key and Value can be set in the Template Manager parameters, in the Replacement Values parameter option. This parameter has been updated to use a repeatable Name / Value parameter, making it easier to set the required values.

In addition to the paramer update, the inclusion of any variables in inserted content that are not predefined in the Replacement Values parameter, will display a Values dialog box for the user to enter in a value for each variable. This allows for the inserted content to be treated more dynamically, with the user able to specifiy any number of different variable values, such as names, urls, id values, titles etc. In the example below, a snippet of iframe HTML copied from Youtube, with the Youtube video id in the URL and title attribute value replace with the variables {$Video ID} and {$Video Title}, can be used to insert any Youtube video.

<iframe width="560" height="315" src="https://www.youtube.com/embed/{$Video ID}" title="{$Video Title}" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>

When the content is inserted, the dialog prompt is shown, and the content inserted with the processed values:

Of course this content can be any HTML using any number of variables, and as the variable names are used for the labels for each field, the variable names can be real words or phrase, eg: {$Video Title}. Values supplied by the user can only be text content however, not additional HTML.

Styles List Updates

Improvements have been made to the Styles list to make it easier to apply or remove multiple styles on an element in one action by clicking on each style item in turn. This includes Custom Styles that apply block level formatting such as headings.

It is also now possible to apply styles to multiple selected elements, such as a selection of paragraphs.