lexxy 0.9.6.beta → 0.9.7.beta

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 0b3e32d6616564bae023ac462dadcbc6a9b3ca526e152d1f0166233e64483548
-  data.tar.gz: c8f19bbac5ae8129e4b70e769233005598005b04f9820e4f025dccaca67ced73
+  metadata.gz: d626ffd428a2d550fb3439d9ee89e2e71a86f6bdaa3a990d5c5f8954394e5529
+  data.tar.gz: 98f0d3b26df745b0a6477e508de91bf2f9be89c079fccf3f3d53648c92d311b6
 SHA512:
-  metadata.gz: 5f4862084d7dd764d555ab65995f005249071ab747314ee499150f2708b2ec09af785f0347fd3dc5a7039d61a9b64889f5300a47ea463171633bd865c521ce6b
-  data.tar.gz: a1eb5afc29e8ef304c534bb75c9375d0f3dbc80aafbb55ab7981ff8de9043acbf9f07ac88569d46fe0824c6da41759d42330e300acf9a8083c1fdf2bed0f8cac
+  metadata.gz: 286a01f5de6b3d69347a1a40f54709718e245c4de7f3cca176635a2acb44fcea5e19d78f5fac1b9aaef66c1671d920073700c28918350d3d62f20e71931fa6dd
+  data.tar.gz: 0003b9f77dc7c231067a69ca758626941df4cec24393d3f897b6705b3526e5e8260f290f9fa8591bf7a3d982e4fac3e2033a9aaa16ce33b9665a60f2d4f9c4fd

data/README.md

@@ -3,7 +3,7 @@
 A modern rich text editor for Rails.
 
 > [!IMPORTANT]
-> This is an early beta. It hasn't been battle-tested yet. Please try it out and report any issues you find.
+> This is a beta. It hasn't been battle-tested yet. Please try it out and report any issues you find.
 
 **[Try it out!](https://basecamp.github.io/lexxy/try-it)**
 
@@ -26,7 +26,7 @@ Visit the **[documentation site](https://basecamp.github.io/lexxy)**.
 
 ## Roadmap
 
-This is an early beta. Here's what's coming next:
+This is a beta. Here's what's coming next:
 
 - [x] Configurable editors in Action Text: Choose your editor like you choose your database.
 - [x] More editing features:

data/app/assets/javascript/lexxy.js

@@ -6247,7 +6247,7 @@ purify.addHook("uponSanitizeElement", (node, data) => {
   }
 });
 
-function buildConfig(allowedElements) {
+function buildConfig(allowedElements ) {
   const tagAttributes = {};
 
   for (const element of allowedElements) {
@@ -7551,15 +7551,12 @@ var Lexxy = {
   }
 };
 
-function sanitize(html, allowedElements) {
-  return purify.sanitize(html, buildConfig(allowedElements))
+function setSanitizerConfig(allowedTags) {
+  purify.clearConfig();
+  purify.setConfig(buildConfig(allowedTags));
 }
 
-// Sanitize HTML for custom attachment content (mentions, cards, etc.).
-// Uses DOMPurify defaults to strip XSS vectors (scripts, event handlers)
-// while preserving the richer tag set that server-rendered attachment
-// content legitimately uses (e.g. <span>, <div>, <img>).
-function sanitizeAttachmentContent(html) {
+function sanitize(html) {
   return purify.sanitize(html)
 }
 
@@ -7655,7 +7652,7 @@ class CustomActionTextAttachmentNode extends Fi {
   createDOM() {
     const figure = createElement(this.tagName, { "content-type": this.contentType, "data-lexxy-decorator": true });
 
-    figure.insertAdjacentHTML("beforeend", sanitizeAttachmentContent(this.innerHtml));
+    figure.insertAdjacentHTML("beforeend", sanitize(this.innerHtml));
 
     const deleteButton = createElement("lexxy-node-delete-button");
     figure.appendChild(deleteButton);
@@ -13185,7 +13182,7 @@ class LexicalEditorElement extends HTMLElement {
   get value() {
     if (!this.cachedValue) {
       this.editor?.getEditorState().read(() => {
-        this.cachedValue = sanitize(g(this.editor, null), this.#allowedElements);
+        this.cachedValue = sanitize(g(this.editor, null));
       });
     }
 
@@ -13244,6 +13241,7 @@ class LexicalEditorElement extends HTMLElement {
     this.#registerFocusEvents();
     this.#attachDebugHooks();
     this.#attachToolbar();
+    this.#configureSanitizer();
     this.#loadInitialValue();
     this.#resetBeforeTurboCaches();
   }
@@ -13520,6 +13518,10 @@ class LexicalEditorElement extends HTMLElement {
     }
   }
 
+  #configureSanitizer() {
+    setSanitizerConfig(this.#allowedElements);
+  }
+
   get #allowedElements() {
     return this.#importableTags.concat(this.extensions.allowedElements)
   }