@underverse-ui/underverse 1.0.100 → 1.0.101

package/dist/index.d.cts

@@ -2955,7 +2955,11 @@ interface UEditorProps {
     onJsonChange?: (json: object) => void;
     uploadImage?: (file: File) => Promise<string> | string;
     uploadImageForSave?: UEditorUploadImageForSave;
+    uploadImageConcurrency?: number;
     imageInsertMode?: "base64" | "upload";
+    maxImageFileSize?: number;
+    allowedImageMimeTypes?: string[];
+    fallbackToDataUrl?: boolean;
     placeholder?: string;
     className?: string;
     editable?: boolean;
@@ -2983,9 +2987,10 @@ declare class UEditorPrepareContentForSaveError extends Error {
     readonly result: UEditorPrepareContentForSaveResult;
     constructor(result: UEditorPrepareContentForSaveResult);
 }
-declare function prepareUEditorContentForSave({ html, uploadImageForSave, }: {
+declare function prepareUEditorContentForSave({ html, uploadImageForSave, uploadConcurrency, }: {
     html: string;
     uploadImageForSave?: UEditorUploadImageForSave;
+    uploadConcurrency?: number;
 }): Promise<UEditorPrepareContentForSaveResult>;
 
 /** Button component for actions, icon buttons, loading states, and submit flows. */

package/dist/index.d.ts

@@ -2955,7 +2955,11 @@ interface UEditorProps {
     onJsonChange?: (json: object) => void;
     uploadImage?: (file: File) => Promise<string> | string;
     uploadImageForSave?: UEditorUploadImageForSave;
+    uploadImageConcurrency?: number;
     imageInsertMode?: "base64" | "upload";
+    maxImageFileSize?: number;
+    allowedImageMimeTypes?: string[];
+    fallbackToDataUrl?: boolean;
     placeholder?: string;
     className?: string;
     editable?: boolean;
@@ -2983,9 +2987,10 @@ declare class UEditorPrepareContentForSaveError extends Error {
     readonly result: UEditorPrepareContentForSaveResult;
     constructor(result: UEditorPrepareContentForSaveResult);
 }
-declare function prepareUEditorContentForSave({ html, uploadImageForSave, }: {
+declare function prepareUEditorContentForSave({ html, uploadImageForSave, uploadConcurrency, }: {
     html: string;
     uploadImageForSave?: UEditorUploadImageForSave;
+    uploadConcurrency?: number;
 }): Promise<UEditorPrepareContentForSaveResult>;
 
 /** Button component for actions, icon buttons, loading states, and submit flows. */

package/dist/index.js

@@ -23496,6 +23496,49 @@ var SlashCommand = Extension.create({
 // src/components/UEditor/clipboard-images.ts
 import { Extension as Extension2 } from "@tiptap/core";
 import { Plugin } from "@tiptap/pm/state";
+
+// src/components/UEditor/url-safety.ts
+var LINK_PROTOCOLS = /* @__PURE__ */ new Set(["http:", "https:", "mailto:", "tel:"]);
+var IMAGE_PROTOCOLS = /* @__PURE__ */ new Set(["http:", "https:"]);
+function normalizeUrlInput(raw) {
+  return raw.trim().replace(/[\u0000-\u001F\u007F\s]+/g, "");
+}
+function isProtocolRelativeUrl(value) {
+  return value.startsWith("//");
+}
+function isRelativeUrl(value) {
+  return value.startsWith("/") || value.startsWith("./") || value.startsWith("../") || value.startsWith("#");
+}
+function isDataImageUrl(value) {
+  return /^data:image\/(?:png|jpe?g|gif|webp|svg\+xml|bmp|x-icon|avif);base64,/i.test(value);
+}
+function isSafeUEditorUrl(raw, kind) {
+  const value = normalizeUrlInput(raw);
+  if (!value) return false;
+  if (kind === "image" && isDataImageUrl(value)) return true;
+  if (isRelativeUrl(value)) return true;
+  if (isProtocolRelativeUrl(value)) return false;
+  try {
+    const parsed = new URL(value);
+    return kind === "image" ? IMAGE_PROTOCOLS.has(parsed.protocol) : LINK_PROTOCOLS.has(parsed.protocol);
+  } catch {
+    return false;
+  }
+}
+function sanitizeUEditorUrl(raw, kind) {
+  const value = raw.trim();
+  if (!value) return "";
+  if (isSafeUEditorUrl(value, kind)) return normalizeUrlInput(value);
+  if (kind === "link" && !isProtocolRelativeUrl(value) && !/^[a-zA-Z][a-zA-Z0-9+.-]*:/.test(value)) {
+    const withProtocol = `https://${value}`;
+    return isSafeUEditorUrl(withProtocol, kind) ? withProtocol : "";
+  }
+  return "";
+}
+
+// src/components/UEditor/clipboard-images.ts
+var DEFAULT_UEDITOR_IMAGE_MAX_FILE_SIZE = 10 * 1024 * 1024;
+var DEFAULT_UEDITOR_IMAGE_MIME_TYPES = ["image/png", "image/jpeg", "image/webp", "image/gif", "image/svg+xml"];
 function getImageFiles(dataTransfer) {
   if (!dataTransfer) return [];
   const itemFiles = [];
@@ -23527,7 +23570,7 @@ async function resolveImageSrc(file, options) {
   if (options.insertMode === "upload" && options.upload) {
     try {
       const result = await options.upload(file);
-      const src = typeof result === "string" ? result : "";
+      const src = typeof result === "string" ? sanitizeUEditorUrl(result, "image") : "";
       if (src) return src;
     } catch (err) {
       if (!options.fallbackToDataUrl) throw err;
@@ -23539,8 +23582,8 @@ var ClipboardImages = Extension2.create({
   name: "clipboardImages",
   addOptions() {
     return {
-      maxFileSize: 10 * 1024 * 1024,
-      allowedMimeTypes: ["image/png", "image/jpeg", "image/webp", "image/gif", "image/svg+xml"],
+      maxFileSize: DEFAULT_UEDITOR_IMAGE_MAX_FILE_SIZE,
+      allowedMimeTypes: DEFAULT_UEDITOR_IMAGE_MIME_TYPES,
       upload: void 0,
       fallbackToDataUrl: true,
       insertMode: "base64"
@@ -24399,6 +24442,9 @@ function buildUEditorExtensions({
   maxCharacters,
   uploadImage,
   imageInsertMode = "base64",
+  maxImageFileSize,
+  allowedImageMimeTypes,
+  fallbackToDataUrl,
   editable = true
 }) {
   return [
@@ -24452,12 +24498,20 @@ function buildUEditorExtensions({
     HorizontalRule,
     Link.configure({
       openOnClick: false,
+      protocols: ["http", "https", "mailto", "tel"],
+      isAllowedUri: (url) => isSafeUEditorUrl(url ?? "", "link"),
       HTMLAttributes: {
         class: "text-primary underline underline-offset-2 hover:text-primary/80 cursor-pointer"
       }
     }),
     resizable_image_default,
-    ClipboardImages.configure({ upload: uploadImage, insertMode: imageInsertMode }),
+    ClipboardImages.configure({
+      upload: uploadImage,
+      insertMode: imageInsertMode,
+      ...maxImageFileSize !== void 0 ? { maxFileSize: maxImageFileSize } : {},
+      ...allowedImageMimeTypes ? { allowedMimeTypes: allowedImageMimeTypes } : {},
+      ...fallbackToDataUrl !== void 0 ? { fallbackToDataUrl } : {}
+    }),
     TextStyle,
     font_family_default,
     font_size_default,
@@ -24713,11 +24767,7 @@ import { useEffect as useEffect33, useRef as useRef28, useState as useState43 }
 import { Check as Check10, X as X19 } from "lucide-react";
 import { jsx as jsx78, jsxs as jsxs66 } from "react/jsx-runtime";
 function normalizeUrl(raw) {
-  const url = raw.trim();
-  if (!url) return "";
-  if (url.startsWith("#") || url.startsWith("/")) return url;
-  if (/^[a-zA-Z][a-zA-Z0-9+.-]*:/.test(url)) return url;
-  return `https://${url}`;
+  return sanitizeUEditorUrl(raw, "link");
 }
 var LinkInput = ({
   onSubmit,
@@ -24762,8 +24812,9 @@ var ImageInput = ({ onSubmit, onCancel }) => {
   }, []);
   const handleSubmit = (e) => {
     e.preventDefault();
-    if (url) {
-      onSubmit(url, alt);
+    const safeUrl = sanitizeUEditorUrl(url, "image");
+    if (safeUrl) {
+      onSubmit(safeUrl, alt);
     }
   };
   return /* @__PURE__ */ jsxs66("form", { onSubmit: handleSubmit, className: "p-3 space-y-3", children: [
@@ -24949,6 +25000,8 @@ var EditorToolbar = ({
   variant,
   uploadImage,
   imageInsertMode = "base64",
+  maxImageFileSize = DEFAULT_UEDITOR_IMAGE_MAX_FILE_SIZE,
+  allowedImageMimeTypes = DEFAULT_UEDITOR_IMAGE_MIME_TYPES,
   fontFamilies,
   fontSizes,
   lineHeights,
@@ -25016,10 +25069,13 @@ var EditorToolbar = ({
     setImageUploadError(null);
     for (const file of files) {
       if (!file.type.startsWith("image/")) continue;
+      if (file.size > maxImageFileSize) continue;
+      if (allowedImageMimeTypes.length > 0 && !allowedImageMimeTypes.includes(file.type)) continue;
       try {
         const src = imageInsertMode === "upload" && uploadImage ? await uploadImage(file) : await fileToDataUrl2(file);
-        if (!src) continue;
-        editor.chain().focus().setImage({ src, alt: file.name }).run();
+        const safeSrc = sanitizeUEditorUrl(src, "image");
+        if (!safeSrc) continue;
+        editor.chain().focus().setImage({ src: safeSrc, alt: file.name }).run();
         editor.commands.createParagraphNear();
       } catch {
         setImageUploadError(t("imageInput.uploadError"));
@@ -26230,12 +26286,12 @@ var MIME_EXTENSION_MAP = {
   "image/x-icon": "ico",
   "image/avif": "avif"
 };
-function isDataImageUrl(value) {
+function isDataImageUrl2(value) {
   return /^data:image\//i.test(value.trim());
 }
 function parseDataImageUrl(dataUrl) {
   const value = dataUrl.trim();
-  if (!isDataImageUrl(value)) return null;
+  if (!isDataImageUrl2(value)) return null;
   const commaIndex = value.indexOf(",");
   if (commaIndex < 0) return null;
   const header = value.slice(5, commaIndex);
@@ -26269,19 +26325,33 @@ function createFileFromDataImageUrl(dataUrl, index) {
 }
 function normalizeUploadResult(result) {
   if (typeof result === "string") {
-    const url2 = result.trim();
+    const url2 = sanitizeUEditorUrl(result, "image");
     if (!url2) throw new Error("Upload handler returned an empty URL.");
     return { url: url2 };
   }
   if (!result || typeof result !== "object") {
     throw new Error("Upload handler returned invalid result.");
   }
-  const url = typeof result.url === "string" ? result.url.trim() : "";
+  const url = typeof result.url === "string" ? sanitizeUEditorUrl(result.url, "image") : "";
   if (!url) throw new Error("Upload handler object result is missing `url`.");
   const { url: _ignoredUrl, ...rest } = result;
   const meta = Object.keys(rest).length > 0 ? rest : void 0;
   return { url, meta };
 }
+async function runWithConcurrency(items, concurrency, worker) {
+  const limit = Math.max(1, Math.floor(concurrency));
+  const results = new Array(items.length);
+  let nextIndex = 0;
+  async function runNext() {
+    while (nextIndex < items.length) {
+      const currentIndex = nextIndex;
+      nextIndex += 1;
+      results[currentIndex] = await worker(items[currentIndex]);
+    }
+  }
+  await Promise.all(Array.from({ length: Math.min(limit, items.length) }, runNext));
+  return results;
+}
 function getErrorReason(error) {
   if (error instanceof Error && error.message) return error.message;
   if (typeof error === "string" && error.trim()) return error;
@@ -26293,7 +26363,7 @@ function decodeHtmlEntities(value) {
 function normalizeImageUrl(url) {
   const input = decodeHtmlEntities(url.trim());
   if (!input) return "";
-  if (isDataImageUrl(input)) return input;
+  if (isDataImageUrl2(input)) return input;
   const isAbsolute = /^[a-zA-Z][a-zA-Z0-9+.-]*:/.test(input);
   if (!isAbsolute) {
     return input.split("#")[0] ?? input;
@@ -26377,7 +26447,8 @@ var UEditorPrepareContentForSaveError = class extends Error {
 };
 async function prepareUEditorContentForSave({
   html,
-  uploadImageForSave
+  uploadImageForSave,
+  uploadConcurrency = 3
 }) {
   if (!html || !html.includes("<img")) {
     return createResult({ html, uploaded: [], inlineUploaded: [], errors: [] });
@@ -26390,7 +26461,7 @@ async function prepareUEditorContentForSave({
   for (const match of imgMatches) {
     if (!match.srcAttr) continue;
     const src = match.srcAttr.value.trim();
-    if (!isDataImageUrl(src)) continue;
+    if (!isDataImageUrl2(src)) continue;
     base64Candidates.push({
       id: `${match.start}:${match.end}`,
       match,
@@ -26416,8 +26487,10 @@ async function prepareUEditorContentForSave({
   const inlineUploaded = [];
   const errors = [];
   const replacements = /* @__PURE__ */ new Map();
-  const uploadResults = await Promise.all(
-    base64Candidates.map(async (candidate) => {
+  const uploadResults = await runWithConcurrency(
+    base64Candidates,
+    uploadConcurrency,
+    async (candidate) => {
       try {
         const file = createFileFromDataImageUrl(candidate.src, candidate.index);
         const uploadResult = await uploadImageForSave(file);
@@ -26426,7 +26499,7 @@ async function prepareUEditorContentForSave({
       } catch (error) {
         return { candidate, error: getErrorReason(error) };
       }
-    })
+    }
   );
   for (const item of uploadResults) {
     if ("error" in item) {
@@ -31764,7 +31837,11 @@ var UEditor = React74.forwardRef(({
   onJsonChange,
   uploadImage,
   uploadImageForSave,
+  uploadImageConcurrency = 3,
   imageInsertMode = "base64",
+  maxImageFileSize,
+  allowedImageMimeTypes,
+  fallbackToDataUrl,
   placeholder,
   className,
   editable = true,
@@ -31875,8 +31952,18 @@ var UEditor = React74.forwardRef(({
     setEditorResizeCursor("row-resize");
   }, [setEditorResizeCursor]);
   const extensions = useMemo24(
-    () => buildUEditorExtensions({ placeholder: effectivePlaceholder, translate: t, maxCharacters, uploadImage, imageInsertMode, editable }),
-    [effectivePlaceholder, t, maxCharacters, uploadImage, imageInsertMode, editable]
+    () => buildUEditorExtensions({
+      placeholder: effectivePlaceholder,
+      translate: t,
+      maxCharacters,
+      uploadImage,
+      imageInsertMode,
+      maxImageFileSize,
+      allowedImageMimeTypes,
+      fallbackToDataUrl,
+      editable
+    }),
+    [effectivePlaceholder, t, maxCharacters, uploadImage, imageInsertMode, maxImageFileSize, allowedImageMimeTypes, fallbackToDataUrl, editable]
   );
   const editor = useEditor({
     immediatelyRender: false,
@@ -32073,7 +32160,8 @@ var UEditor = React74.forwardRef(({
           const htmlSnapshot = editor?.getHTML() ?? content ?? "";
           inFlightPrepareRef.current = prepareUEditorContentForSave({
             html: htmlSnapshot,
-            uploadImageForSave
+            uploadImageForSave,
+            uploadConcurrency: uploadImageConcurrency
           }).finally(() => {
             inFlightPrepareRef.current = null;
           });
@@ -32085,7 +32173,7 @@ var UEditor = React74.forwardRef(({
         return result;
       }
     }),
-    [content, editor, uploadImageForSave]
+    [content, editor, uploadImageForSave, uploadImageConcurrency]
   );
   useEffect35(() => {
     if (!editor) return;
@@ -32215,21 +32303,6 @@ var UEditor = React74.forwardRef(({
       }
       state.previewHeight = nextHeight;
       applyPreviewRowHeight(state.rowElement, nextHeight);
-      const tr = editor.view.state.tr;
-      tr.setNodeMarkup(state.rowPos, void 0, {
-        ...state.rowNode.attrs,
-        rowHeight: nextHeight
-      });
-      editor.view.dispatch(tr);
-      state.rowNode = editor.view.state.doc.nodeAt(state.rowPos) ?? state.rowNode;
-      const refreshedRow = state.tableElement.rows.item(state.rowElement.rowIndex);
-      if (refreshedRow instanceof HTMLTableRowElement) {
-        state.rowElement = refreshedRow;
-        const refreshedCell = refreshedRow.cells.item(state.cellIndex);
-        if (refreshedCell instanceof HTMLTableCellElement) {
-          state.cellElement = refreshedCell;
-        }
-      }
       document.body.style.cursor = "row-resize";
       showRowGuide(state.tableElement, state.rowElement, state.cellElement);
     };
@@ -32240,7 +32313,16 @@ var UEditor = React74.forwardRef(({
         MIN_TABLE_ROW_HEIGHT,
         Math.round(state.startHeight + (event.clientY - state.startY))
       );
+      const rowNode = editor.view.state.doc.nodeAt(state.rowPos) ?? state.rowNode;
       clearPreviewRowHeight(state.rowElement);
+      if (rowNode.attrs.rowHeight !== nextHeight) {
+        const tr = editor.view.state.tr;
+        tr.setNodeMarkup(state.rowPos, void 0, {
+          ...rowNode.attrs,
+          rowHeight: nextHeight
+        });
+        editor.view.dispatch(tr);
+      }
       rowResizeStateRef.current = null;
       document.body.style.cursor = "";
       clearHoveredTableCell();
@@ -32328,6 +32410,8 @@ var UEditor = React74.forwardRef(({
             variant,
             uploadImage,
             imageInsertMode,
+            maxImageFileSize,
+            allowedImageMimeTypes,
             fontFamilies,
             fontSizes,
             lineHeights,