ckeditor5 1.23.2 → 1.23.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d4e4581fc1d9ebbf70b9213ce10a444b5ad2633f45334a7e343f875a8f7180ee
-  data.tar.gz: 251313b3f5eb8152f9385b9f4e159e30223b9a2bf0edff5009d3b85459d062c4
+  metadata.gz: 0d717a5397379dffdfd252d92c6b6f58a524430c0ae99798a46ff7f71556d3b9
+  data.tar.gz: 046715b5823ae3f38b3b2c1175fa4f1bdd5e34f9e260777dbcb714be287ec18b
 SHA512:
-  metadata.gz: bdce490b8f96f7c365b3cdb782afccb02c8b372c93df042c76cfb10540d56f742b355af8c4d55a638399db4bccf661469117ae55c9cdd1a92b16e993bab37980
-  data.tar.gz: 9d54670405e3030075495bc0cbceb60524803658e23535f84bf5a72570917cbbdc32ab7130b0c1d1554c5f3065b3d7067afef3df4ae93df260608d20de8b6725
+  metadata.gz: a552a32f61e75023f913b6df8c414b9af075942b97144e10582c4cfa1955bf988de8be6f2e652618ae3640364691f20c9ae3b679f3eb2017f78d3aa740580616
+  data.tar.gz: 934d9853eb527d2f8a65ecc87e6c4fac989a0bb1133f5a3b6154ebe8aca3239199a84a801c048e6909919b76295bae3e29f6af9e60f98f2cee46cfb8167647d7

data/README.md

@@ -1,8 +1,8 @@
 # CKEditor 5 Rails Integration ✨
 
 [![License: GPL v2](https://img.shields.io/badge/License-GPL_v2-blue.svg?style=flat-square)](https://www.gnu.org/licenses/old-licenses/gpl-2.0.en.html)
-![Gem Version](https://img.shields.io/gem/v/ckeditor5?style=flat-square)
-![Gem Total Downloads](https://img.shields.io/gem/dt/ckeditor5?style=flat-square&color=orange)
+[![Gem Version](https://img.shields.io/gem/v/ckeditor5?style=flat-square)](https://rubygems.org/gems/ckeditor5)
+[![Gem Total Downloads](https://img.shields.io/gem/dt/ckeditor5?style=flat-square&color=orange)](https://rubygems.org/gems/ckeditor5)
 [![Coverage](https://img.shields.io/codecov/c/github/mati365/ckeditor5-rails?style=flat-square)](https://codecov.io/gh/mati365/ckeditor5-rails)
 [![PRs Welcome](https://img.shields.io/badge/PRs-welcome-green.svg?style=flat-square)](http://makeapullrequest.com)
 ![GitHub code size in bytes](https://img.shields.io/github/languages/code-size/mati365/ckeditor5-rails?style=flat-square)

data/lib/ckeditor5/rails/assets/webcomponent_bundle.rb

@@ -3,38 +3,54 @@
 require 'singleton'
 require 'terser'
 
-module CKEditor5::Rails::Assets
-  class WebComponentBundle
-    include ActionView::Helpers::TagHelper
-    include Singleton
-
-    WEBCOMPONENTS_PATH = File.join(__dir__, 'webcomponents')
-    WEBCOMPONENTS_MODULES = [
-      'utils.mjs',
-      'components/editable.mjs',
-      'components/ui-part.mjs',
-      'components/editor.mjs',
-      'components/context.mjs'
-    ].freeze
-
-    def source
-      @source ||= compress_source(raw_source)
-    end
-
-    def to_html
-      @to_html ||= tag.script(source, type: 'module', nonce: true)
-    end
-
-    private
-
-    def raw_source
-      @raw_source ||= WEBCOMPONENTS_MODULES.map do |file|
-        File.read(File.join(WEBCOMPONENTS_PATH, file))
-      end.join("\n")
-    end
-
-    def compress_source(code)
-      Terser.new(compress: true, mangle: true).compile(code).html_safe
+require_relative '../editor/props_inline_plugin'
+
+module CKEditor5::Rails
+  module Assets
+    class WebComponentBundle
+      include ActionView::Helpers::TagHelper
+      include Singleton
+
+      WEBCOMPONENTS_PATH = File.join(__dir__, 'webcomponents')
+      WEBCOMPONENTS_MODULES = [
+        'utils.mjs',
+        'components/editable.mjs',
+        'components/ui-part.mjs',
+        'components/editor.mjs',
+        'components/context.mjs'
+      ].freeze
+
+      def source
+        @source ||= compress_source(raw_source)
+      end
+
+      def to_html
+        @to_html ||= tag.script(source, type: 'module', nonce: true)
+      end
+
+      private
+
+      def raw_source
+        @raw_source ||= WEBCOMPONENTS_MODULES.map do |file|
+          content = File.read(File.join(WEBCOMPONENTS_PATH, file))
+
+          if file == 'utils.mjs'
+            inject_inline_code_signatures(content)
+          else
+            content
+          end
+        end.join("\n")
+      end
+
+      def inject_inline_code_signatures(content)
+        json_signatures = Editor::InlinePluginsSignaturesRegistry.instance.to_a.to_json
+
+        content.sub('__INLINE_CODE_SIGNATURES_PLACEHOLDER__', json_signatures)
+      end
+
+      def compress_source(code)
+        Terser.new(compress: true, mangle: true).compile(code).html_safe
+      end
     end
   end
 end

data/lib/ckeditor5/rails/assets/webcomponents/components/editor.mjs

@@ -568,10 +568,14 @@ class CKEditorComponent extends HTMLElement {
   }
 
   /**
-   * Gets bundle JSON description from translations attribute
+   * Gets bundle JSON description from translations attribute.
+   *
+   * **warning**: It's present only if the editor is loaded lazily.
    */
   #getBundle() {
-    return this.#bundle ||= JSON.parse(this.getAttribute('bundle'));
+    return this.#bundle ||= JSON.parse(
+      this.getAttribute('bundle') || '{ "scripts": [], "stylesheets": [] }'
+    );
   }
 
 

data/lib/ckeditor5/rails/assets/webcomponents/utils.mjs

@@ -20,6 +20,22 @@ function execIfDOMReady(callback) {
   }
 }
 
+/**
+ * Verifies code signature using SHA-256 hash.
+ *
+ * @param {string} code - Source code to verify
+ * @returns {Promise<boolean>} True if code signature is valid
+ */
+async function verifyCodeSignature(code) {
+  const signature = await crypto.subtle
+      .digest('SHA-256', new TextEncoder().encode(code))
+      .then(hash => Array.from(new Uint8Array(hash))
+      .map(b => b.toString(16).padStart(2, '0'))
+      .join(''));
+
+  return __INLINE_CODE_SIGNATURES_PLACEHOLDER__.includes(signature);
+}
+
 /**
  * Dynamically imports modules based on configuration
  *
@@ -31,10 +47,14 @@ function execIfDOMReady(callback) {
  * @param {Object} imports[].window_name - Global window object name (for external type)
  * @param {('inline'|'external')} imports[].type - Type of import
  * @returns {Promise<Array<any>>} Array of loaded modules
- * @throws {Error} When plugin loading fails
+ * @throws {Error} When plugin loading fails or signature validation fails
  */
 function loadAsyncImports(imports = []) {
   const loadInlinePlugin = async ({ name, code }) => {
+    if (!await verifyCodeSignature(code)) {
+      throw new Error(`Invalid code signature for inline plugin "${name}"!`);
+    }
+
     const module = await import(`data:text/javascript,${encodeURIComponent(code)}`);
 
     if (!module.default) {

data/lib/ckeditor5/rails/cdn/helpers.rb

@@ -99,7 +99,8 @@ module CKEditor5::Rails
 
       if importmap_available?
         @__ckeditor_context = {
-          bundle: combined_bundle
+          bundle: combined_bundle,
+          lazy: true
         }
 
         return Assets::WebComponentBundle.instance.to_html

data/lib/ckeditor5/rails/context/helpers.rb

@@ -40,8 +40,8 @@ module CKEditor5::Rails::Context
     #   <% preset = ckeditor5_context_preset do
     #     plugins :Comments, :TrackChanges, :Collaboration  # Shared functionality plugins
     #   end %>
-    def ckeditor5_context_preset(&block)
-      PresetBuilder.new(&block)
+    def ckeditor5_context_preset(**kwargs, &block)
+      PresetBuilder.new(disallow_inline_plugins: true, **kwargs, &block)
     end
   end
 end

data/lib/ckeditor5/rails/context/preset_builder.rb

@@ -38,7 +38,8 @@ module CKEditor5::Rails
       #     version '43.3.1'
       #     toolbar :bold, :italic
       #   end
-      def initialize(&block)
+      def initialize(disallow_inline_plugins: false, &block)
+        @disallow_inline_plugins = disallow_inline_plugins
         @config = {
           plugins: []
         }

data/lib/ckeditor5/rails/editor/helpers/config_helpers.rb

@@ -50,7 +50,10 @@ module CKEditor5::Rails::Editor::Helpers
 
       raise ArgumentError, 'Configuration block is required for preset definition' unless block_given?
 
-      CKEditor5::Rails::Presets::PresetBuilder.new(&block)
+      CKEditor5::Rails::Presets::PresetBuilder.new(
+        disallow_inline_plugins: true,
+        &block
+      )
     end
   end
 end

data/lib/ckeditor5/rails/editor/helpers/editor_helpers.rb

@@ -56,7 +56,7 @@ module CKEditor5::Rails
     #   <%= form_for @post do |f| %>
     #     <%= f.ckeditor5 :content, required: true %>
     #   <% end %>
-    def ckeditor5_editor( # rubocop:disable Metrics/ParameterLists
+    def ckeditor5_editor( # rubocop:disable Metrics/ParameterLists,Metrics/CyclomaticComplexity
       preset: nil,
       config: nil, extra_config: {}, type: nil,
       initial_data: nil, watchdog: true,
@@ -78,7 +78,9 @@ module CKEditor5::Rails
 
       editor_props = Editor::Props.new(
         type, config,
-        bundle: context[:bundle],
+        # Use fallback only if there is no `ckeditor5_assets` in the head.
+        # So web-component will be loaded from the CDN.
+        bundle: context[:lazy] ? context[:bundle] : nil,
         watchdog: watchdog,
         editable_height: editable_height || preset.editable_height
       )
@@ -159,13 +161,15 @@ module CKEditor5::Rails
 
         return {
           bundle: create_preset_bundle(found_preset),
-          preset: found_preset
+          preset: found_preset,
+          lazy: true
         }
       end
 
       {
         bundle: nil,
-        preset: Engine.default_preset
+        preset: Engine.default_preset,
+        lazy: true
       }
     end
   end

data/lib/ckeditor5/rails/editor/props.rb

@@ -45,7 +45,7 @@ module CKEditor5::Rails::Editor
 
     def serialized_attributes
       {
-        bundle: bundle.to_json,
+        bundle: bundle&.to_json,
         plugins: serialize_plugins,
         config: serialize_config,
         watchdog: watchdog

data/lib/ckeditor5/rails/editor/props_inline_plugin.rb

@@ -1,5 +1,8 @@
 # frozen_string_literal: true
 
+require 'singleton'
+require 'digest'
+
 require_relative 'props_base_plugin'
 
 module CKEditor5::Rails::Editor
@@ -11,6 +14,8 @@ module CKEditor5::Rails::Editor
 
       @code = code
       validate_code!
+
+      InlinePluginsSignaturesRegistry.instance.register(code)
     end
 
     def to_h
@@ -32,4 +37,28 @@ module CKEditor5::Rails::Editor
             'Code must include `export default` that exports plugin definition!'
     end
   end
+
+  class InlinePluginsSignaturesRegistry
+    include Singleton
+
+    def initialize
+      @signatures = Set.new
+    end
+
+    def register(code)
+      signature = generate_signature(code)
+      @signatures.add(signature)
+      signature
+    end
+
+    def to_a
+      @signatures.to_a
+    end
+
+    private
+
+    def generate_signature(code)
+      Digest::SHA256.hexdigest(code)
+    end
+  end
 end

data/lib/ckeditor5/rails/presets/concerns/plugin_methods.rb

@@ -1,21 +1,18 @@
 # frozen_string_literal: true
 
+require 'active_support'
+
 module CKEditor5::Rails
   module Presets
     module Concerns
       module PluginMethods
-        private
+        extend ActiveSupport::Concern
 
-        # Register a plugin in the editor configuration
-        #
-        # @param plugin_obj [Editor::PropsBasePlugin] Plugin instance to register
-        # @return [Editor::PropsBasePlugin] The registered plugin
-        def register_plugin(plugin_obj)
-          config[:plugins] << plugin_obj
-          plugin_obj
-        end
+        class DisallowedInlinePlugin < ArgumentError; end
 
-        public
+        included do
+          attr_reader :disallow_inline_plugins
+        end
 
         # Registers an external plugin loaded from a URL
         #
@@ -89,6 +86,29 @@ module CKEditor5::Rails
           builder.instance_eval(&block) if block_given?
           builder
         end
+
+        private
+
+        def looks_like_inline_plugin?(plugin)
+          plugin.to_h[:type] == :inline
+        end
+
+        # Register a plugin in the editor configuration.
+        #
+        # It will raise an error if inline plugins are not allowed and the plugin is an inline plugin.
+        # Most likely, this is being thrown when you use inline_plugin definition in a place where
+        # it's not allowed (e.g. in a preset definition placed in controller).
+        #
+        # @param plugin_obj [Editor::PropsBasePlugin] Plugin instance to register
+        # @return [Editor::PropsBasePlugin] The registered plugin
+        def register_plugin(plugin_obj)
+          if disallow_inline_plugins && looks_like_inline_plugin?(plugin_obj)
+            raise DisallowedInlinePlugin, 'Inline plugins are not allowed here.'
+          end
+
+          config[:plugins] << plugin_obj
+          plugin_obj
+        end
       end
     end
   end

data/lib/ckeditor5/rails/presets/preset_builder.rb

@@ -16,7 +16,8 @@ module CKEditor5::Rails
       #     gpl
       #     type :classic
       #   end
-      def initialize(&block)
+      def initialize(disallow_inline_plugins: false, &block)
+        @disallow_inline_plugins = disallow_inline_plugins
         @version = nil
         @premium = false
         @cdn = :jsdelivr

data/lib/ckeditor5/rails/version.rb

@@ -2,7 +2,7 @@
 
 module CKEditor5
   module Rails
-    VERSION = '1.23.2'
+    VERSION = '1.23.3'
 
     DEFAULT_CKEDITOR_VERSION = '44.1.0'
   end

data/spec/lib/ckeditor5/rails/context/helpers_spec.rb

@@ -107,5 +107,18 @@ RSpec.describe CKEditor5::Rails::Context::Helpers do
         preset: :custom
       )
     end
+
+    it 'raises error when trying to define inline plugin' do
+      expect do
+        helper.ckeditor5_context_preset do
+          inline_plugin :TestPlugin, <<~JS
+            export default class TestPlugin { }
+          JS
+        end
+      end.to raise_error(
+        CKEditor5::Rails::Presets::Concerns::PluginMethods::DisallowedInlinePlugin,
+        'Inline plugins are not allowed here.'
+      )
+    end
   end
 end

data/spec/lib/ckeditor5/rails/editor/helpers/config_helpers_spec.rb

@@ -38,6 +38,22 @@ RSpec.describe CKEditor5::Rails::Editor::Helpers::Config do
       it 'yields the block to PresetBuilder' do
         expect { |b| helper.ckeditor5_preset(&b) }.to yield_control
       end
+
+      it 'does not allow inline plugins definition' do
+        expect do
+          helper.ckeditor5_preset do
+            inline_plugin :CustomPlugin, <<~JS
+              import Plugin from '@ckeditor/ckeditor5-core/src/plugin';
+              export default class CustomPlugin extends Plugin {
+                static get pluginName() { return 'CustomPlugin'; }
+              }
+            JS
+          end
+        end.to raise_error(
+          CKEditor5::Rails::Presets::Concerns::PluginMethods::DisallowedInlinePlugin,
+          'Inline plugins are not allowed here.'
+        )
+      end
     end
 
     context 'when neither name nor block is provided' do

data/spec/lib/ckeditor5/rails/editor/helpers/editor_helpers_spec.rb

@@ -58,6 +58,7 @@ RSpec.describe CKEditor5::Rails::Editor::Helpers::Editor do
       result = helper.ckeditor5_context_or_fallback(:custom)
       expect(result).to match({
                                 bundle: 'custom-bundle',
+                                lazy: true,
                                 preset: custom_preset
                               })
     end
@@ -71,9 +72,33 @@ RSpec.describe CKEditor5::Rails::Editor::Helpers::Editor do
       result = helper.ckeditor5_context_or_fallback(nil)
       expect(result).to match({
                                 bundle: nil,
+                                lazy: true,
                                 preset: :default
                               })
     end
+
+    it 'includes lazy flag in fallback context' do
+      allow(CKEditor5::Rails::Engine).to receive(:default_preset)
+        .and_return(:default)
+
+      result = helper.ckeditor5_context_or_fallback(nil)
+      expect(result[:lazy]).to be true
+    end
+
+    it 'includes lazy flag in preset context' do
+      custom_preset = instance_double(CKEditor5::Rails::Presets::PresetBuilder)
+
+      allow(CKEditor5::Rails::Engine).to receive(:find_preset)
+        .with(:custom)
+        .and_return(custom_preset)
+
+      allow(helper).to receive(:create_preset_bundle)
+        .with(custom_preset)
+        .and_return('custom-bundle')
+
+      result = helper.ckeditor5_context_or_fallback(:custom)
+      expect(result[:lazy]).to be true
+    end
   end
 
   describe '#ckeditor5_editor' do
@@ -225,6 +250,31 @@ RSpec.describe CKEditor5::Rails::Editor::Helpers::Editor do
         expect(helper.ckeditor5_editor(editable_height: 600)).to include('editable-height="600px"')
       end
     end
+
+    context 'when using bundles' do
+      let(:bundle) { 'test-bundle' }
+      let(:context) { { preset: :default, bundle: bundle, lazy: true } }
+
+      it 'uses bundle from context when lazy is true' do
+        expect(CKEditor5::Rails::Editor::Props).to receive(:new)
+          .with(anything, anything, hash_including(bundle: bundle))
+          .and_call_original
+
+        helper.ckeditor5_editor
+      end
+
+      context 'when lazy is false' do
+        let(:context) { { preset: :default, bundle: bundle, lazy: false } }
+
+        it 'does not use bundle from context' do
+          expect(CKEditor5::Rails::Editor::Props).to receive(:new)
+            .with(anything, anything, hash_including(bundle: nil))
+            .and_call_original
+
+          helper.ckeditor5_editor
+        end
+      end
+    end
   end
 
   describe '#ckeditor5_editable' do

data/spec/lib/ckeditor5/rails/hooks/form_spec.rb

@@ -18,24 +18,10 @@ RSpec.describe CKEditor5::Rails::Hooks::Form do
       subject(:rendered_editor) { builder.build_editor(:content) }
 
       it 'renders ckeditor element' do
-        bundle_json = {
-          scripts: [
-            {
-              import_name: 'ckeditor5',
-              url: 'https://cdn.jsdelivr.net/npm/ckeditor5@34.1.0/dist/browser/ckeditor5.js',
-              translation: false
-            }
-          ],
-          stylesheets: [
-            'https://cdn.jsdelivr.net/npm/ckeditor5@34.1.0/dist/browser/ckeditor5.css'
-          ]
-        }.to_json
-
         attrs = {
           name: 'post[content]',
           id: 'post_content',
           type: 'ClassicEditor',
-          bundle: bundle_json,
           watchdog: 'true'
         }
 

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: ckeditor5
 version: !ruby/object:Gem::Version
-  version: 1.23.2
+  version: 1.23.3
 platform: ruby
 authors:
 - Mateusz Bagiński
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2024-12-17 00:00:00.000000000 Z
+date: 2024-12-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails