@ckeditor/ckeditor5-core 43.1.0-alpha.6 → 43.1.0-alpha.7

package/dist/editor/editorconfig.d.ts

@@ -814,8 +814,8 @@ export interface EditorConfig {
      *
      * We strongly recommend overwriting the default function to avoid XSS vulnerabilities.
      *
-     * Read more about the security aspect of this feature in the {@glink features/html/html-embed#security "Security"} section of
-     * the {@glink features/html/html-embed HTML embed} feature guide.
+     * Read more about the security aspect of this feature in the {@glink getting-started/setup/html-security "HTML security"}
+     * guide.
      *
      * The function receives the input HTML (as a string), and should return an object
      * that matches the {@link module:core/editor/editorconfig~SanitizedOutput} interface.
@@ -845,7 +845,7 @@ export interface EditorConfig {
      * * {@glink features/merge-fields Merge fields}
      *   (when {@link module:merge-fields/mergefieldsconfig~MergeFieldsConfig#previewHtmlValues `previewHtmlValues`} flag is set).
      */
-    sanitizeHtml?: (html: string) => SanitizedOutput;
+    sanitizeHtml?: HtmlSanitizationCallback;
     /**
      * Label text for the `aria-label` attribute set on editor editing area. Used by assistive technologies
      * to tell apart multiple editor instances (editing areas) on the page. If not set, a default
@@ -1040,3 +1040,4 @@ export interface SanitizedOutput {
      */
     hasChanged: boolean;
 }
+export type HtmlSanitizationCallback = (html: string) => SanitizedOutput;

package/dist/index.js

@@ -2,7 +2,7 @@
  * @license Copyright (c) 2003-2024, CKSource Holding sp. z o.o. All rights reserved.
  * For licensing, see LICENSE.md or https://ckeditor.com/legal/ckeditor-oss-license
  */
-import { ObservableMixin, insertToPriorityArray, EmitterMixin, CKEditorError, Config, Locale, Collection, KeystrokeHandler, setDataInElement } from '@ckeditor/ckeditor5-utils/dist/index.js';
+import { ObservableMixin, insertToPriorityArray, EmitterMixin, CKEditorError, Config, Locale, Collection, KeystrokeHandler, logWarning, setDataInElement } from '@ckeditor/ckeditor5-utils/dist/index.js';
 import { Model, StylesProcessor, DataController, EditingController, Conversion } from '@ckeditor/ckeditor5-engine/dist/index.js';
 import { EditorWatchdog, ContextWatchdog } from '@ckeditor/ckeditor5-watchdog/dist/index.js';
 import { isFunction } from 'lodash-es';
@@ -1844,6 +1844,21 @@ const DEFAULT_GROUP_ID = 'common';
         this.config = new Config(rest, defaultConfig);
         this.config.define('plugins', availablePlugins);
         this.config.define(this._context._getEditorConfig());
+        this.config.define('sanitizeHtml', function(rawHtml) {
+            /**
+			 * One of the editor features directly inserts unsanitized HTML code into the editor.
+			 * It is strongly recommended to define a sanitize function that will clean up the input HTML
+			 * in order to avoid XSS vulnerability.
+			 *
+			 * For a detailed overview, check the {@glink getting-started/setup/html-security "HTML security"} guide.
+			 *
+			 * @error provide-sanitize-function
+			 */ logWarning('provide-sanitize-function');
+            return {
+                html: rawHtml,
+                hasChanged: false
+            };
+        });
         this.plugins = new PluginCollection(this, availablePlugins, this._context.plugins);
         this.locale = this._context.locale;
         this.t = this.locale.t;