decap-cms-widget-markdown 3.7.0 → 3.9.0

package/dist/esm/MarkdownControl/index.js

@@ -39,13 +39,24 @@ export default class MarkdownControl extends React.Component {
     const preferredMode = localStorage.getItem(MODE_STORAGE_KEY) ?? 'rich_text';
     _getEditorComponents = props.getEditorComponents;
     this.state = {
-      mode: this.getAllowedModes().indexOf(preferredMode) !== -1 ? preferredMode : this.getAllowedModes()[0],
+      mode:
+      // When used inside a container/shortcode editor component, default to
+      // raw mode — the widget type already implies the editing surface.
+      props.isEditorComponent ? 'raw' : this.getAllowedModes().indexOf(preferredMode) !== -1 ? preferredMode : this.getAllowedModes()[0],
       pendingFocus: false
     };
   }
   componentDidMount() {
     // Manually validate PropTypes - React 19 breaking change
     PropTypes.checkPropTypes(MarkdownControl.propTypes, this.props, 'prop', 'MarkdownControl');
+
+    // Ensure containerised widgets start in the correct mode even if the
+    // constructor ran before the prop was available (e.g. HMR / late prop).
+    if (this.props.isEditorComponent && this.state.mode !== 'raw') {
+      this.setState({
+        mode: 'raw'
+      });
+    }
   }
   handleMode = mode => {
     this.setState({
@@ -84,7 +95,8 @@ export default class MarkdownControl extends React.Component {
       mode,
       pendingFocus
     } = this.state;
-    const isShowModeToggle = this.getAllowedModes().length > 1;
+    const isEditorComponent = this.props.isEditorComponent;
+    const isShowModeToggle = this.getAllowedModes().length > 1 && !isEditorComponent;
     const visualEditor = ___EmotionJSX("div", {
       className: "cms-editor-visual",
       ref: this.processRef

package/dist/esm/MarkdownControl/plugins/html/withHtml.js

@@ -1,11 +1,34 @@
 // source: https://github.com/ianstormtaylor/slate/blob/main/site/examples/ts/paste-html.tsx
+import DOMPurify from 'dompurify';
 import { jsx } from 'slate-hyperscript';
 import { Transforms } from 'slate';
+function sanitizeElementUrl(url, {
+  allowDataImage = false
+} = {}) {
+  if (!url) {
+    return null;
+  }
+  const trimmed = url.trim();
+  if (!trimmed) {
+    return null;
+  }
+  const normalized = trimmed.replace(/\s+/g, '').toLowerCase();
+  if (normalized.startsWith('javascript:') || normalized.startsWith('vbscript:') || normalized.startsWith('file:')) {
+    return null;
+  }
+  if (normalized.startsWith('data:')) {
+    return allowDataImage && /^data:image\/(?!svg\+xml)[a-z0-9.+-]+[;,]/i.test(normalized) ? trimmed : null;
+  }
+  return trimmed;
+}
 const ELEMENT_TAGS = {
-  A: el => ({
-    type: 'link',
-    url: el.getAttribute('href')
-  }),
+  A: el => {
+    const url = sanitizeElementUrl(el.getAttribute('href'));
+    return url ? {
+      type: 'link',
+      url
+    } : undefined;
+  },
   BLOCKQUOTE: () => ({
     type: 'quote'
   }),
@@ -27,10 +50,15 @@ const ELEMENT_TAGS = {
   H6: () => ({
     type: 'heading-six'
   }),
-  IMG: el => ({
-    type: 'image',
-    url: el.getAttribute('src')
-  }),
+  IMG: el => {
+    const url = sanitizeElementUrl(el.getAttribute('src'), {
+      allowDataImage: true
+    });
+    return url ? {
+      type: 'image',
+      url
+    } : null;
+  },
   LI: () => ({
     type: 'list-item'
   }),
@@ -82,7 +110,7 @@ const INLINE_STYLES = {
 };
 function deserialize(el) {
   if (el.nodeType === 3) {
-    return el.textContent;
+    return el.textContent.replace(/(\r)?\n/g, '');
   } else if (el.nodeType !== 1) {
     return null;
   } else if (el.nodeName === 'BR') {
@@ -106,6 +134,12 @@ function deserialize(el) {
   }
   if (ELEMENT_TAGS[nodeName]) {
     const attrs = ELEMENT_TAGS[nodeName](el);
+    if (attrs === undefined) {
+      return children;
+    }
+    if (attrs === null) {
+      return null;
+    }
     return jsx('element', attrs, children);
   }
   if (TEXT_TAGS[nodeName]) {
@@ -143,7 +177,8 @@ function withHtml(editor) {
   editor.insertData = data => {
     const html = data.getData('text/html');
     if (html) {
-      const parsed = new DOMParser().parseFromString(html, 'text/html');
+      const sanitizedHtml = DOMPurify.sanitize(html);
+      const parsed = new DOMParser().parseFromString(sanitizedHtml, 'text/html');
       const fragment = deserialize(parsed.body);
       Transforms.insertFragment(editor, fragment);
       return;

package/dist/esm/MarkdownControl/plugins/shortcodes/insertShortcode.js

@@ -1,7 +1,7 @@
 import { Transforms } from 'slate';
 import isCursorInEmptyParagraph from './locations/isCursorInEmptyParagraph';
 function insertShortcode(editor, pluginConfig) {
-  const defaultValues = pluginConfig.fields.toMap().mapKeys((_, field) => field.get('name')).filter(field => field.has('default')).map(field => field.get('default'));
+  const defaultValues = pluginConfig.fields.toMap().mapKeys((_, field) => field.get('name')).map(field => field.get('default', ''));
   const nodeData = {
     type: 'shortcode',
     id: pluginConfig.id,