jodit 4.10.3 → 4.11.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (87) hide show
  1. package/CHANGELOG.md +28 -0
  2. package/es2015/jodit.css +1 -1
  3. package/es2015/jodit.fat.min.js +15 -15
  4. package/es2015/jodit.js +359 -62
  5. package/es2015/jodit.min.js +7 -7
  6. package/es2015/plugins/debug/debug.css +1 -1
  7. package/es2015/plugins/debug/debug.js +1 -1
  8. package/es2015/plugins/debug/debug.min.js +1 -1
  9. package/es2015/plugins/speech-recognize/speech-recognize.css +1 -1
  10. package/es2015/plugins/speech-recognize/speech-recognize.js +1 -1
  11. package/es2015/plugins/speech-recognize/speech-recognize.min.js +1 -1
  12. package/es2018/jodit.fat.min.js +6 -6
  13. package/es2018/jodit.min.js +15 -15
  14. package/es2018/plugins/debug/debug.min.js +1 -1
  15. package/es2018/plugins/speech-recognize/speech-recognize.min.js +1 -1
  16. package/es2021/jodit.css +1 -1
  17. package/es2021/jodit.fat.min.js +8 -8
  18. package/es2021/jodit.js +358 -62
  19. package/es2021/jodit.min.js +9 -9
  20. package/es2021/plugins/debug/debug.css +1 -1
  21. package/es2021/plugins/debug/debug.js +1 -1
  22. package/es2021/plugins/debug/debug.min.js +1 -1
  23. package/es2021/plugins/speech-recognize/speech-recognize.css +1 -1
  24. package/es2021/plugins/speech-recognize/speech-recognize.js +1 -1
  25. package/es2021/plugins/speech-recognize/speech-recognize.min.js +1 -1
  26. package/es2021.en/jodit.css +1 -1
  27. package/es2021.en/jodit.fat.min.js +50 -50
  28. package/es2021.en/jodit.js +358 -62
  29. package/es2021.en/jodit.min.js +25 -25
  30. package/es2021.en/plugins/debug/debug.css +1 -1
  31. package/es2021.en/plugins/debug/debug.js +1 -1
  32. package/es2021.en/plugins/debug/debug.min.js +1 -1
  33. package/es2021.en/plugins/speech-recognize/speech-recognize.css +1 -1
  34. package/es2021.en/plugins/speech-recognize/speech-recognize.js +1 -1
  35. package/es2021.en/plugins/speech-recognize/speech-recognize.min.js +1 -1
  36. package/es5/jodit.css +2 -2
  37. package/es5/jodit.fat.min.js +2 -2
  38. package/es5/jodit.js +416 -62
  39. package/es5/jodit.min.css +2 -2
  40. package/es5/jodit.min.js +2 -2
  41. package/es5/plugins/debug/debug.css +1 -1
  42. package/es5/plugins/debug/debug.js +1 -1
  43. package/es5/plugins/debug/debug.min.js +1 -1
  44. package/es5/plugins/speech-recognize/speech-recognize.css +1 -1
  45. package/es5/plugins/speech-recognize/speech-recognize.js +1 -1
  46. package/es5/plugins/speech-recognize/speech-recognize.min.js +1 -1
  47. package/es5/polyfills.fat.min.js +1 -1
  48. package/es5/polyfills.js +1 -1
  49. package/es5/polyfills.min.js +1 -1
  50. package/esm/config.d.ts +85 -0
  51. package/esm/core/constants.js +1 -1
  52. package/esm/core/dom/dom.d.ts +1 -0
  53. package/esm/core/helpers/html/safe-html.d.ts +3 -2
  54. package/esm/core/helpers/html/safe-html.js +42 -3
  55. package/esm/plugins/clean-html/clean-html.js +4 -0
  56. package/esm/plugins/clean-html/config.d.ts +85 -0
  57. package/esm/plugins/clean-html/config.js +7 -1
  58. package/esm/plugins/clean-html/helpers/visitor/filters/convert-unsafe-embeds.d.ts +14 -0
  59. package/esm/plugins/clean-html/helpers/visitor/filters/convert-unsafe-embeds.js +37 -0
  60. package/esm/plugins/clean-html/helpers/visitor/filters/index.d.ts +4 -0
  61. package/esm/plugins/clean-html/helpers/visitor/filters/index.js +4 -0
  62. package/esm/plugins/clean-html/helpers/visitor/filters/safe-links-target.d.ts +14 -0
  63. package/esm/plugins/clean-html/helpers/visitor/filters/safe-links-target.js +38 -0
  64. package/esm/plugins/clean-html/helpers/visitor/filters/sandbox-iframes-in-content.d.ts +14 -0
  65. package/esm/plugins/clean-html/helpers/visitor/filters/sandbox-iframes-in-content.js +24 -0
  66. package/esm/plugins/clean-html/helpers/visitor/filters/sanitize-attributes.js +10 -5
  67. package/esm/plugins/clean-html/helpers/visitor/filters/sanitize-styles.d.ts +14 -0
  68. package/esm/plugins/clean-html/helpers/visitor/filters/sanitize-styles.js +70 -0
  69. package/esm/plugins/drag-and-drop/drag-and-drop.js +1 -1
  70. package/esm/plugins/enter/helpers/insert-paragraph.js +2 -1
  71. package/esm/plugins/file/file.js +3 -2
  72. package/esm/plugins/iframe/iframe.js +8 -6
  73. package/esm/plugins/image/image.js +3 -2
  74. package/esm/plugins/image-properties/writers/link.js +6 -0
  75. package/esm/plugins/link/link.js +15 -3
  76. package/esm/plugins/resizer/resizer.js +2 -2
  77. package/esm/plugins/source/editor/engines/area.js +3 -7
  78. package/package.json +1 -1
  79. package/types/config.d.ts +85 -0
  80. package/types/core/dom/dom.d.ts +1 -0
  81. package/types/core/helpers/html/safe-html.d.ts +3 -2
  82. package/types/plugins/clean-html/config.d.ts +85 -0
  83. package/types/plugins/clean-html/helpers/visitor/filters/convert-unsafe-embeds.d.ts +14 -0
  84. package/types/plugins/clean-html/helpers/visitor/filters/index.d.ts +4 -0
  85. package/types/plugins/clean-html/helpers/visitor/filters/safe-links-target.d.ts +14 -0
  86. package/types/plugins/clean-html/helpers/visitor/filters/sandbox-iframes-in-content.d.ts +14 -0
  87. package/types/plugins/clean-html/helpers/visitor/filters/sanitize-styles.d.ts +14 -0
package/CHANGELOG.md CHANGED
@@ -9,6 +9,34 @@
9
9
  > - :house: [Internal]
10
10
  > - :nail_care: [Polish]
11
11
 
12
+ ## 4.11.2
13
+
14
+ #### :boom: Breaking Change
15
+
16
+ - `cleanHTML.denyTags` default changed from `'script'` to `'script,iframe,object,embed'` — iframes, objects, and embeds are now blocked by default
17
+ - `cleanHTML.removeOnError` is deprecated in favor of `cleanHTML.removeEventAttributes` — all `on*` event handler attributes (`onerror`, `onclick`, `onload`, `onmouseover`, etc.) are now removed by default, not just `onerror`
18
+ - `cleanHTML.safeLinksTarget` is now `true` by default — links with `target="_blank"` automatically get `rel="noopener noreferrer"`
19
+ - `cleanHTML.sandboxIframesInContent` is now `true` by default — all `<iframe>` elements in editor content get `sandbox=""` attribute
20
+ - `cleanHTML.convertUnsafeEmbeds` is now `['object', 'embed']` by default — listed elements are converted to sandboxed `<iframe>`
21
+
22
+ #### :house: Internal
23
+
24
+ - Add Statoscope for webpack bundle size analysis and build comparison
25
+ - refactor: replace setAttribute and removeAttribute with attr helper in multiple files
26
+
27
+ #### :rocket: New Feature
28
+
29
+ - New option `cleanHTML.removeEventAttributes` — removes all `on*` event handler attributes for comprehensive XSS protection (onerror, onclick, onload, onmouseover, onfocus, etc.)
30
+ - New option `cleanHTML.safeLinksTarget` — automatically adds `rel="noopener noreferrer"` to `target="_blank"` links to prevent `window.opener` attacks
31
+ - New option `cleanHTML.allowedStyles` — whitelist of allowed CSS properties in `style` attributes, prevents CSS injection attacks (e.g. data exfiltration via `background-image: url(...)`)
32
+ - New option `cleanHTML.sanitizer` — hook for external sanitizer integration (e.g. DOMPurify). Called before Jodit's built-in sanitization
33
+ - New option `cleanHTML.sandboxIframesInContent` — adds `sandbox=""` to all `<iframe>` in editor content
34
+ - New option `cleanHTML.convertUnsafeEmbeds` (`false | string[]`) — converts listed tags to sandboxed `<iframe>`, customizable list
35
+
36
+ #### :memo: Documentation
37
+
38
+ - New comprehensive security guide: `docs/security.md` covering XSS protection, CSP, Trusted Types, HTML Sanitizer API, server-side sanitization, and hardened configuration examples
39
+
12
40
  ## 4.10.1
13
41
 
14
42
  #### :boom: Breaking Change
package/es2015/jodit.css CHANGED
@@ -1,7 +1,7 @@
1
1
  /*!
2
2
  * jodit - Jodit is an awesome and useful wysiwyg editor with filebrowser
3
3
  * Author: Chupurnov <chupurnov@gmail.com> (https://xdsoft.net/jodit/)
4
- * Version: v4.10.3
4
+ * Version: v4.11.2
5
5
  * Url: https://xdsoft.net/jodit/
6
6
  * License(s): MIT
7
7
  */