This update fixes an issue where changes to content were not saved if the editor was configured without the Editor, Code and Preview tabs.
Previously, JCE Pro 2.9.25 included some security related changes to the Editor Toggle options and Code Tab in JCE Core.
Toggle Editor Changes
The Toggle Editor button, located on the left above the editor toolbar and usually displayed as a "switch" or "power" icon, turns the editor off and on when clicked. When the editor is off, the textarea field is exposed, displaying the raw HTML content that is submitted when saving. In this state, this HTML content is no longer processed, validated or filtered by the editor anymore in any way when submitted, as if the editor had not been loaded at all. Any further processing of the content is usually done on the server by the Joomla Text Filter, or some other filtering mechanism used by the extension the user is creating the content in.
This highlights the importance of server-side filtering, as with the editor turned off, the potential exists for the content creator to accidentally or maliciously submit content that could create a security or reputational risk for the site. For this reason, the Toggle Editor options are now available in JCE Pro only, and the Toggle Editor switch is disabled and unavailable by default.
It should be noted however that even with content filtering and validation performed by the editor, it is still relatively easy for a malicious user to intercept and alter content while it is being submitted from the browser to the server.
Server-side filtering, such as that performed by the Joomla Text Filter, should never be disabled or weakened for anonymous or untrusted users. Where server-side filtering affects media embedding, such as with Youtube, Viemo, Spotify, etc. which require iframes (no allowed for the Default Blacklist Text Filter setting), alternative embedding solutions provided by other extensions should be used for anonymous or untrusted users.
JCE Core Code Editor
JCE Core lacks the sophisticated, full featured Code Editor included with JCE Pro, and instead exposes the content textarea for HTML editing when the Code tab is clicked. This update adds validation and filtering to the textarea content when switching tabs, or when the content is submitted for saving.
A changelog for this release is available to view here
Thank you to everyone who submitted bug reports and tested development versions. If you find any more issues please submit them on the forum or on github.
Download and Installation
JCE Pro is available for download with a JCE Pro Subscription.
If you already have a subscription, please make sure you set your key before updating
Instructions for installing and updating JCE for each Joomla version are available here