Hello!
Quentin from Alinto.

We can't simply get the next ckeditor4 LTS version as it is no more free. We're looking for a solution asap.
Meanwhile, there is this dirty workaround available in next nightly to prevent ckeditor to make the request and show this message.
Or you can do it in your current version by adding this:

config.versionCheck = false;

to your ckeditor config file
in ubuntu/debian -> /usr/lib/GNUstep/SOGo/WebServerResources/js/vendor/ckeditor/config.js
in rhel -> /usr/lib64/GNUstep/SOGo/WebServerResources/js/vendor/ckeditor/config.js

You'll need to empty the data and cache of your browser to not see the message again

Just to clarify, there is no known weakness for now, this is just an informative message generated by ckeditor.
When sending the mail, the string goes into stringWithoutHTMLInjection and check for common XSS.

=> We're currently looking on how to update ckeditor, because the Open Source version of ckeditor4 is not maintained.
=> The config.versionCheck will finally stay as the webmail should not call external url (unlike my comment in the code :/).

Sebastien

Dear SOGo users,

CKEditor has been upgraded to version 5 in the nightly 20240228.
Commit : https://github.com/Alinto/sogo/commit/e92fb8f52d615b72a6945760aecdf95039e1cbf2

Note : The SCAYT plugin is now a premium feature in CKEditor 5, so it has been removed from SOGo.

Please update this ticket if you have some issues regarding the new CKEditor version.

Sebastien

Having no spell checking at all is a problem.
As an replacement for SCAYT, could you add the CKEditor option for enabling the browser spell checking?

WebServerResources/js/vendor/ckeditor/config.js:

config.disableNativeSpellChecker = false;

Browser context menu is usually reachable with <CTRL>+right mouse click in the edit area.
Perhaps this should be documeted in the "Installation and Configuration Guide"?

That's a good suggestion Christian. I will add it.

In addition, comments in Gihub : https://github.com/Alinto/sogo/commit/e92fb8f52d615b72a6945760aecdf95039e1cbf2#commitcomment-139254610

Since the new CKEditor version (5) seems to mess with raw HTML inserted using the <Source> button (leading to messed-up HTML signature tables and embedded images), it would be nice if the HTML Embed plugin (https://ckeditor.com/docs/ckeditor5/latest/features/html/html-embed.html) was included, which seems to allow inserting (untouched) raw HTML.

Attached is the (redacted) original signature and how it now looks in the editor after v5.

Screenshot-2024-03-01-at-4.01.51 PM.jpg (31,663 bytes)   

Screenshot-2024-03-01-at-4.01.51 PM.jpg (31,663 bytes)   

Screenshot-2024-03-01-at-4.02.06 PM.jpg (91,003 bytes)   

Screenshot-2024-03-01-at-4.02.06 PM.jpg (91,003 bytes)   

The only drawback would of course be that users would now see raw html as their signature while editing messages :-)

This has been fixed in commit : https://github.com/Alinto/sogo/commit/2b23ff3eb8dac6acc570b1aaa6e0baff72dd17ea :

• Added config.disableNativeSpellChecker = false;
• Added htmlEmbed button - CKEditor reformat tables. I have also added the table style contextual actions

@Christian Mack : The ctrl + right click action works for me (tested on mac and windows Chrome / Firefox). Can you provide more details on this (browser, os) ?

The commit will be included in nightly 20240305

Sebastien

Great!
Will test and confirm that it solves the signature issue as soon as the nightly build is available.
The only problem is that, even if it works, everybody will have to re-add their signatures using the html embed add-on, I suppose this will cause a lot of whining...

@nemphys I totally agree. I have added a commit : https://github.com/Alinto/sogo/commit/b7a71140f2b3eefb494a3acc151fe556ce1d3ce4 (NB 20240305) it seems to work on my tests, but your feedback will be welcome

Sebastien

I just tried with the 2024-03-05 nightly and I confirm that re-adding the HTML signature using the HTML embed plugin fixes the issue (though the signature now appears as raw HTML during message editing, which is not optimal UX-wise).
Before boing through the re-addition procedure, the old HTML signature looked a little better than before (at least all embedded images were visible), but the table layout was still messed up.

Thank you for your feedback, I have tested several signatures with no problems, can you send me your HTML signature to xxxxx ?

Sebastien

Sent, please check.

Hi all,

Same problem than https://github.com/ckeditor/ckeditor5/issues/8869
From what I can gather, there is no easy way to fix this.

So I have implemented the following behavior in the commit https://github.com/Alinto/sogo/commit/dd965baae110176c6144ccd64cbade3ef757966a (NB 20240306) :

• Embbeded html block now display preview
• Disabled centering for embbeded html blocks preview
• When a signature contains a <table> without <figure class="table"> (tags inserted by ckeditor), the signature is encapsulated with the <div class="raw-html-embed"> to avoid modifications by ckeditor

The consequence of this will be the HTML Code frame when writing a mail (check screenshot).

What is the community feedback on this ?

Sebastien

Capture d’écran 2024-03-05 à 21.59.27.png (59,076 bytes)   

Capture d’écran 2024-03-05 à 21.59.27.png (59,076 bytes)   

Looks good in the screenshot, will confirm as soon as I get the chance to test it.
Not sure if it covers all possible cases, though, others will have to test it with their signature to see if something else breaks.

I confirm that the HTML embed preview looks fine (at least with my signature).

Thank you @nemphys for the feedback.
Any other is welcome

Sebastien

• The raw-html-embed is now applied to all signatures : https://github.com/Alinto/sogo/commit/65ab6962d870baeba7cb4b3c1b66eb6447174e1b (NB 20240312)
• Added Tx remove format button
• Added code plugin

Sebastien

Hi there,

Some changes regarding the raw-html-embed tag in commit https://github.com/Alinto/sogo/commit/98e00d09a3e31b388592e2d1068d89bc57ff1d99 (NB 20240409)

• The box style for signature has been removed to avoid end user's confusion
• A new domain parameter has been introduced SOGoForceRawHtmlSignature to avoid adding the raw-html-embed - this parameter is set to YES by default, but you can set it to NO if you don't want to have the signature in the box and let CKEditor managing this
• Fix : Removed adding raw-html-embed in database when saving the signature

Sebastien