CKEditor security warning

ninjatx · July 1, 2024, 9:30pm

Situation
Starting this morning, every time when we opened the CKEditor we got a red security warning that “CKEditor 4.22.1 (Standard) version is not secure. Consider upgrading to the latest one, 4.24.0-lts”. I was looking at this on github but I’m not sure that changing the package-lock.json is all that I have to change: chore(deps): bump ckeditor4 from 4.22.1 to 4.24.0 by dependabot[bot] · Pull Request #7212 · openemr/openemr · GitHub. Please help. Thank you!

OpenEMR Version
I’m using OpenEMR version 7.0.2 (1)

Browser:
I’m using: Firefox, Chrome, Vivaldi

Operating System
I’m using: Debian

Search
Did you search the forum for similar questions? yes, but last thread update was in 2019.

Logs
Did you check the logs?
Was there anything pertinent in them?
Please paste them here (surround with three backticks (```) for readability.
You can also turn on User Debugging under Administration->Globals->Logging User Debugging Options=>All

Admin Solution: CKEditor security warning - #4 by sjpadgett

sjpadgett · July 1, 2024, 10:12pm

Crap. You can’t upgrade past 4.22.1 unless you pay for security updates period. Project gave notice and deprecated security support unless licensed versions after 4.22.1 i.e they screwed the opensource community. Shame on them.
That notice wasn’t there when I reverted from 4.24 so I’ll have to refactor them out of openemr, a somewhat major undertaking I won’t take on readily.

All I will say is we admins donate considerable time keeping openemr bugs fix and the tedious support for PHP version and sequel engines(which btw thank @brady.miller for this tedious and labor intensive work.) changes.

The community is going to have to do a better job at supporting us devs to keep up with modernizing and keeping up to date with core development.

We need donations because we have no budget for these kind of things and to be honest I’m getting tired of being the kind soul toward the community.

Sorry but currently I’m dissuaded with both vendor and community support being so lacking. But still I’ll carry on to try and keep openemr the number one opensource emr.

I’ll at least see if I can find a work around and sorry for rant!

sjpadgett · July 1, 2024, 11:32pm

I found a simple work around. Will publish once I test.

sjpadgett · July 2, 2024, 1:58am

Replace library/js/nncustom_config.js with attached file. This will fix NN but portal will take a minute!

nncustom_config.js (1.0 KB)

Robert_James · July 2, 2024, 3:59am

@sjpadgett I am a hard core open source lover, i am still learning programming and trying to be there for community on the forum and help them with whatever i know.
I am always here to help test or do beta checks … things for which u admins dont have much time.
I hope to hang around with openemr for a long time, will support it even better with $'s, made a humble beginning a few days ago.

sjpadgett · July 2, 2024, 4:17am

We appreciate your support Robert. We have several like minded folks but just not enough for what we need to do.

ninjatx · July 3, 2024, 3:18pm

Thank you so much Jerry! It worked for me after I cleared cache and restarted.

I’m just wondering if we can have like a little countdown timer for donation funds goal for the month on the top of OpenEMR’s website and forum . I’ve seen it done and I think it works because I donate more to organizations when I see that. As for my part I will increase my monthly donation to OpenEMR. I can’t tell you how much I appreciate your efforts in this project.

sjpadgett · July 3, 2024, 3:36pm

I thank you for that.
As for easier to donate you’re right however we’ve started a project that allows dev to put up projects looking for funding with a funding goal that once is hit starts the project. No monies are released until reviewed and signed off.

Right now I have RingCentral I’m almost finish with and will give out a patch to install. First release will pretty much be a slightly improved version of 2.2.2.

Right now I’m thinking of replacing 2FA with JWT for easier use i.e no login.

Then back to portal and adding expirable onetime token that users issues where portal passwords are issued now. Can set up to a year if you want.

growlingflea · July 12, 2024, 12:24am

Hi all. The fix is to add the statement versionCheck: false to wherever CKEDITOR.replace(‘inputBody’{
} is instantiated

In messages.php

and

here

This worked for me.

sjpadgett · July 12, 2024, 2:22am

Great thanks although I didn’t need to add in portal. Strange.
Remember to also still fix in Nation Notes.

I’m almost ready for you to test RC Fax.

sjpadgett · July 12, 2024, 2:24am

sorry dan. wrong thread. also see my fix for NN.

ninjatx · July 12, 2024, 1:58pm

Thank you so much Jerry! We will be happy to test Ring Central!

growlingflea · July 13, 2024, 5:11am

Saw that. Tried it and it didn’t seem to work, but I could have done something incorrectly. CKEditor made a blog post about this. Here is the link. Their solution won’t cause speed issues.

https://ckeditor.com/blog/important-update-for-ckeditor-4-users/

sjpadgett · July 13, 2024, 10:01pm

fixed in next patch including portal use

Maco_Meza · July 15, 2024, 7:38pm

Is it possible to upgrade to ckeditor5? Upgrade CKEditor 4 to 5 | CKEditor

sjpadgett · July 15, 2024, 7:44pm

To much of a pain and Ckeditor isn’t worth it. When I get time I’m replacing with something else.