jodit 4.10.3 → 4.11.2

package/esm/plugins/clean-html/helpers/visitor/filters/sanitize-styles.js

@@ -0,0 +1,70 @@
+/*!
+ * Jodit Editor (https://xdsoft.net/jodit/)
+ * Released under MIT see LICENSE.txt in the project root for license information.
+ * Copyright (c) 2013-2026 Valerii Chupurnov. All rights reserved. https://xdsoft.net
+ */
+import { Dom } from "../../../../../core/dom/dom.js";
+import { attr } from "../../../../../core/helpers/utils/attr.js";
+/**
+ * Filter CSS properties in style attributes based on allowedStyles whitelist
+ * @private
+ */
+export function sanitizeStyles(jodit, nodeElm, hadEffect) {
+    const allowedStyles = jodit.o.cleanHTML.allowedStyles;
+    if (!allowedStyles || !Dom.isElement(nodeElm)) {
+        return hadEffect;
+    }
+    const elm = nodeElm;
+    const style = attr(elm, 'style');
+    if (!style) {
+        return hadEffect;
+    }
+    const tagName = nodeElm.nodeName.toLowerCase();
+    const allowed = getAllowedPropsForTag(tagName, allowedStyles);
+    if (!allowed) {
+        return hadEffect;
+    }
+    const filtered = filterStyleProperties(style, allowed);
+    if (filtered !== style) {
+        attr(elm, 'style', filtered || null);
+        return true;
+    }
+    return hadEffect;
+}
+function getAllowedPropsForTag(tagName, allowedStyles) {
+    const tagSpecific = allowedStyles[tagName];
+    const global = allowedStyles['*'];
+    if (!tagSpecific && !global) {
+        return null;
+    }
+    const set = new Set();
+    if (global) {
+        for (const prop of global) {
+            set.add(prop.toLowerCase());
+        }
+    }
+    if (tagSpecific) {
+        for (const prop of tagSpecific) {
+            set.add(prop.toLowerCase());
+        }
+    }
+    return set;
+}
+function filterStyleProperties(style, allowed) {
+    return style
+        .split(';')
+        .map(s => s.trim())
+        .filter(s => {
+        if (!s) {
+            return false;
+        }
+        const colonIdx = s.indexOf(':');
+        if (colonIdx === -1) {
+            return false;
+        }
+        const prop = s.substring(0, colonIdx).trim().toLowerCase();
+        return allowed.has(prop);
+    })
+        .join('; ')
+        .replace(/;\s*$/, '');
+}

package/esm/plugins/drag-and-drop/drag-and-drop.js

@@ -132,7 +132,7 @@ export class dragAndDrop extends Plugin {
                     ? ['a', 'href']
                     : ['img', 'src'];
                 fragment = this.j.createInside.element(tagName);
-                fragment.setAttribute(field, attr(this.draggable, 'data-src') ||
+                attr(fragment, field, attr(this.draggable, 'data-src') ||
                     attr(this.draggable, 'src') ||
                     '');
                 if (tagName === 'a') {

package/esm/plugins/enter/helpers/insert-paragraph.js

@@ -4,6 +4,7 @@
  * Copyright (c) 2013-2026 Valerii Chupurnov. All rights reserved. https://xdsoft.net
  */
 import { Dom } from "../../../core/dom/dom.js";
+import { attr } from "../../../core/helpers/utils/attr.js";
 import { scrollIntoViewIfNeeded } from "../../../core/helpers/utils/scroll-into-view.js";
 /**
  * Insert default paragraph
@@ -15,7 +16,7 @@ export function insertParagraph(fake, editor, wrapperTag, style) {
         p.appendChild(br);
     }
     if (style && style.cssText) {
-        p.setAttribute('style', style.cssText);
+        attr(p, 'style', style.cssText);
     }
     Dom.after(fake, p);
     Dom.before(isBR ? p : br, fake);

package/esm/plugins/file/file.js

@@ -5,6 +5,7 @@
  */
 import { Dom } from "../../core/dom/dom.js";
 import { pluginSystem } from "../../core/global.js";
+import { attr } from "../../core/helpers/utils/attr.js";
 import { Config } from "../../config.js";
 import { FileSelectorWidget } from "../../modules/widget/index.js";
 Config.prototype.controls.file = {
@@ -29,8 +30,8 @@ Config.prototype.controls.file = {
             upload: true,
             url: (url, text) => {
                 if (sourceAnchor) {
-                    sourceAnchor.setAttribute('href', url);
-                    sourceAnchor.setAttribute('title', text);
+                    attr(sourceAnchor, 'href', url);
+                    attr(sourceAnchor, 'title', text);
                 }
                 else {
                     insert(url, text);

package/esm/plugins/iframe/iframe.js

@@ -39,8 +39,8 @@ export function iframe(editor) {
         if (opt.iframeCSSLinks) {
             opt.iframeCSSLinks.forEach(href => {
                 const link = doc.createElement('link');
-                link.setAttribute('rel', 'stylesheet');
-                link.setAttribute('href', href);
+                attr(link, 'rel', 'stylesheet');
+                attr(link, 'href', href);
                 doc.head && doc.head.appendChild(link);
             });
         }
@@ -58,11 +58,13 @@ export function iframe(editor) {
         iframe.style.display = 'block';
         iframe.src = 'about:blank';
         iframe.className = 'jodit-wysiwyg_iframe';
-        iframe.setAttribute('allowtransparency', 'true');
-        iframe.setAttribute('tabindex', opt.tabIndex.toString());
-        iframe.setAttribute('frameborder', '0');
+        attr(iframe, {
+            allowtransparency: 'true',
+            tabindex: opt.tabIndex.toString(),
+            frameborder: '0'
+        });
         if (opt.iframeSandbox != null) {
-            iframe.setAttribute('sandbox', opt.iframeSandbox);
+            attr(iframe, 'sandbox', opt.iframeSandbox);
         }
         editor.workplace.appendChild(iframe);
         editor.iframe = iframe;

package/esm/plugins/image/image.js

@@ -6,6 +6,7 @@
 import { Dom } from "../../core/dom/index.js";
 import { pluginSystem } from "../../core/global.js";
 import { $$ } from "../../core/helpers/index.js";
+import { attr } from "../../core/helpers/utils/attr.js";
 import { Icon } from "../../core/ui/icon.js";
 import { Config } from "../../config.js";
 import { FileSelectorWidget } from "../../modules/widget/index.js";
@@ -37,8 +38,8 @@ Config.prototype.controls.image = {
                     url = '//' + url;
                 }
                 const image = sourceImage || editor.createInside.element('img');
-                image.setAttribute('src', url);
-                image.setAttribute('alt', text);
+                attr(image, 'src', url);
+                attr(image, 'alt', text);
                 if (!sourceImage) {
                     await editor.s.insertImage(image, null, editor.o.imageDefaultWidth);
                 }

package/esm/plugins/image-properties/writers/link.js

@@ -15,6 +15,12 @@ export function applyLink(j, image, imageLink, imageLinkOpenInNewTab) {
         }
         attr(link, 'href', imageLink);
         attr(link, 'target', imageLinkOpenInNewTab ? '_blank' : null);
+        if (!imageLinkOpenInNewTab) {
+            const relParts = (attr(link, 'rel') || '')
+                .split(/\s+/)
+                .filter(p => p && p !== 'noopener' && p !== 'noreferrer');
+            attr(link, 'rel', relParts.length ? relParts.join(' ') : null);
+        }
     }
     else {
         if (link && link.parentNode) {

package/esm/plugins/link/link.js

@@ -90,7 +90,7 @@ export class link extends Plugin {
         }
         if (jodit.s.isCollapsed()) {
             const a = jodit.createInside.element('a');
-            a.setAttribute('href', html);
+            attr(a, 'href', html);
             a.textContent = html;
             jodit.e.fire('applyLink', jodit, a, null);
             return a;
@@ -155,7 +155,9 @@ export class link extends Plugin {
                 target_checkbox.checked = attr(link, 'target') === '_blank';
             }
             if (noFollowCheckbox && nofollow_checkbox) {
-                nofollow_checkbox.checked = attr(link, 'rel') === 'nofollow';
+                nofollow_checkbox.checked = (attr(link, 'rel') || '')
+                    .split(/\s+/)
+                    .includes('nofollow');
             }
             insert.textContent = i18n('Update');
         }
@@ -219,7 +221,17 @@ export class link extends Plugin {
                     attr(a, 'target', target_checkbox.checked ? '_blank' : null);
                 }
                 if (noFollowCheckbox && nofollow_checkbox) {
-                    attr(a, 'rel', nofollow_checkbox.checked ? 'nofollow' : null);
+                    const relParts = (attr(a, 'rel') || '')
+                        .split(/\s+/)
+                        .filter(Boolean);
+                    const hasNofollow = relParts.includes('nofollow');
+                    if (nofollow_checkbox.checked && !hasNofollow) {
+                        relParts.push('nofollow');
+                    }
+                    else if (!nofollow_checkbox.checked && hasNofollow) {
+                        relParts.splice(relParts.indexOf('nofollow'), 1);
+                    }
+                    attr(a, 'rel', relParts.length ? relParts.join(' ') : null);
                 }
                 jodit.e.fire('applyLink', jodit, a, form);
             });

package/esm/plugins/resizer/resizer.js

@@ -366,8 +366,8 @@ export class resizer extends Plugin {
             })
                 .off(element, 'changesize')
                 .on(element, 'changesize', () => {
-                iframe.setAttribute('width', element.offsetWidth + 'px');
-                iframe.setAttribute('height', element.offsetHeight + 'px');
+                attr(iframe, 'width', element.offsetWidth + 'px');
+                attr(iframe, 'height', element.offsetHeight + 'px');
             });
         }
         this.j.e.on(element, 'dragstart', this.hide);

package/esm/plugins/source/editor/engines/area.js

@@ -4,6 +4,7 @@
  * Copyright (c) 2013-2026 Valerii Chupurnov. All rights reserved. https://xdsoft.net
  */
 import { Dom } from "../../../../core/dom/dom.js";
+import { attr } from "../../../../core/helpers/utils/attr.js";
 import { css } from "../../../../core/helpers/utils/css.js";
 import { SourceEditor } from "../sourceEditor.js";
 export class TextAreaEditor extends SourceEditor {
@@ -73,15 +74,10 @@ export class TextAreaEditor extends SourceEditor {
         this.instance.blur();
     }
     setPlaceHolder(title) {
-        this.instance.setAttribute('placeholder', title);
+        attr(this.instance, 'placeholder', title);
     }
     setReadOnly(isReadOnly) {
-        if (isReadOnly) {
-            this.instance.setAttribute('readonly', 'true');
-        }
-        else {
-            this.instance.removeAttribute('readonly');
-        }
+        attr(this.instance, 'readonly', isReadOnly ? 'true' : null);
     }
     selectAll() {
         this.instance.select();

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "jodit",
-	"version": "4.10.3",
+	"version": "4.11.2",
 	"description": "Jodit is an awesome and useful wysiwyg editor with filebrowser",
 	"main": "esm/index.js",
 	"types": "types/index.d.ts",

package/types/config.d.ts

@@ -947,13 +947,98 @@ interface Config {
          */
         useIframeSandbox: boolean;
         /**
+         * @deprecated Use `removeEventAttributes` instead
          * Remove onError attributes
          */
         removeOnError: boolean;
+        /**
+         * Remove all `on*` event handler attributes (onerror, onclick, onload, onmouseover, etc.)
+         * When enabled, this replaces the legacy `removeOnError` behavior with comprehensive protection.
+         *
+         * ```javascript
+         * Jodit.make('#editor', {
+         * 	 cleanHTML: {
+         * 	 	 removeEventAttributes: true
+         * 	 }
+         * });
+         * ```
+         */
+        removeEventAttributes: boolean;
         /**
          * Safe href="javascript:" links
          */
         safeJavaScriptLink: boolean;
+        /**
+         * Automatically add `rel="noopener noreferrer"` to links with `target="_blank"`
+         *
+         * ```javascript
+         * Jodit.make('#editor', {
+         * 	 cleanHTML: {
+         * 	 	 safeLinksTarget: true
+         * 	 }
+         * });
+         * ```
+         */
+        safeLinksTarget: boolean;
+        /**
+         * Whitelist of allowed CSS properties inside `style` attributes.
+         * If set, all CSS properties not in the list will be removed.
+         *
+         * ```javascript
+         * Jodit.make('#editor', {
+         *     cleanHTML: {
+         *         allowedStyles: {
+         *             '*': ['color', 'background-color', 'font-size', 'text-align'],
+         *             img: ['width', 'height']
+         *         }
+         *     }
+         * });
+         * ```
+         */
+        allowedStyles: false | IDictionary<string[]>;
+        /**
+         * Custom sanitizer function. Called after Jodit's built-in sanitization.
+         * Use this to integrate DOMPurify or other external sanitizers.
+         *
+         * ```javascript
+         * import DOMPurify from 'dompurify';
+         *
+         * Jodit.make('#editor', {
+         *     cleanHTML: {
+         *         sanitizer: (html) => DOMPurify.sanitize(html)
+         *     }
+         * });
+         * ```
+         */
+        sanitizer: false | ((value: string) => string);
+        /**
+         * Automatically add `sandbox=""` attribute to all `<iframe>` elements in editor content.
+         * Prevents embedded content from running scripts or accessing the parent page.
+         *
+         * ```javascript
+         * Jodit.make('#editor', {
+         *     cleanHTML: {
+         *         sandboxIframesInContent: true
+         *     }
+         * });
+         * ```
+         */
+        sandboxIframesInContent: boolean;
+        /**
+         * Convert unsafe embed elements to sandboxed `<iframe>`.
+         * - `['object', 'embed']` — default
+         * - `false` — disabled
+         * - `string[]` — custom list of tag names to convert
+         *
+         * ```javascript
+         * Jodit.make('#editor', {
+         *     cleanHTML: {
+         *         convertUnsafeEmbeds: Jodit.atom(['object', 'embed', 'applet'])
+         *     }
+         * });
+         * ```
+         */
+        convertUnsafeEmbeds: false | string[];
         /**
          * The allowTags option defines which elements will remain in the
          * edited text when the editor saves. You can use this limit the returned HTML.

package/types/core/dom/dom.d.ts

@@ -52,6 +52,7 @@ export declare class Dom {
      */
     static replace<T extends HTMLElement>(elm: Node, newTagName: HTMLTagNames): T;
     static replace<T extends HTMLElement>(elm: Node, newTagName: HTMLTagNames, create: ICreate, withAttributes?: boolean, notMoveContent?: boolean): T;
+    static replace<T extends Node>(elm: Node, newTagName: T): T;
     static replace<T extends Node>(elm: Node, newTagName: T | string, create?: ICreate, withAttributes?: boolean, notMoveContent?: boolean): T;
     /**
      * Checks whether the Node text and blank (in this case it may contain invisible auxiliary characters ,

package/types/core/helpers/html/safe-html.d.ts

@@ -3,13 +3,14 @@
  * Released under MIT see LICENSE.txt in the project root for license information.
  * Copyright (c) 2013-2026 Valerii Chupurnov. All rights reserved. https://xdsoft.net
  */
-type safeOptions = {
+export type safeOptions = {
     removeOnError: boolean;
     safeJavaScriptLink: boolean;
+    removeEventAttributes?: boolean;
+    safeLinksTarget?: boolean;
 };
 /**
  * Removes dangerous constructs from HTML
  */
 export declare function safeHTML(box: HTMLElement | DocumentFragment, options: safeOptions): void;
 export declare function sanitizeHTMLElement(elm: Element | DocumentFragment, { safeJavaScriptLink, removeOnError }?: safeOptions): boolean;
-export {};

package/types/plugins/clean-html/config.d.ts

@@ -41,13 +41,98 @@ declare module 'jodit/config' {
              */
             useIframeSandbox: boolean;
             /**
+             * @deprecated Use `removeEventAttributes` instead
              * Remove onError attributes
              */
             removeOnError: boolean;
+            /**
+             * Remove all `on*` event handler attributes (onerror, onclick, onload, onmouseover, etc.)
+             * When enabled, this replaces the legacy `removeOnError` behavior with comprehensive protection.
+             *
+             * ```javascript
+             * Jodit.make('#editor', {
+             * 	 cleanHTML: {
+             * 	 	 removeEventAttributes: true
+             * 	 }
+             * });
+             * ```
+             */
+            removeEventAttributes: boolean;
             /**
              * Safe href="javascript:" links
              */
             safeJavaScriptLink: boolean;
+            /**
+             * Automatically add `rel="noopener noreferrer"` to links with `target="_blank"`
+             *
+             * ```javascript
+             * Jodit.make('#editor', {
+             * 	 cleanHTML: {
+             * 	 	 safeLinksTarget: true
+             * 	 }
+             * });
+             * ```
+             */
+            safeLinksTarget: boolean;
+            /**
+             * Whitelist of allowed CSS properties inside `style` attributes.
+             * If set, all CSS properties not in the list will be removed.
+             *
+             * ```javascript
+             * Jodit.make('#editor', {
+             *     cleanHTML: {
+             *         allowedStyles: {
+             *             '*': ['color', 'background-color', 'font-size', 'text-align'],
+             *             img: ['width', 'height']
+             *         }
+             *     }
+             * });
+             * ```
+             */
+            allowedStyles: false | IDictionary<string[]>;
+            /**
+             * Custom sanitizer function. Called after Jodit's built-in sanitization.
+             * Use this to integrate DOMPurify or other external sanitizers.
+             *
+             * ```javascript
+             * import DOMPurify from 'dompurify';
+             *
+             * Jodit.make('#editor', {
+             *     cleanHTML: {
+             *         sanitizer: (html) => DOMPurify.sanitize(html)
+             *     }
+             * });
+             * ```
+             */
+            sanitizer: false | ((value: string) => string);
+            /**
+             * Automatically add `sandbox=""` attribute to all `<iframe>` elements in editor content.
+             * Prevents embedded content from running scripts or accessing the parent page.
+             *
+             * ```javascript
+             * Jodit.make('#editor', {
+             *     cleanHTML: {
+             *         sandboxIframesInContent: true
+             *     }
+             * });
+             * ```
+             */
+            sandboxIframesInContent: boolean;
+            /**
+             * Convert unsafe embed elements to sandboxed `<iframe>`.
+             * - `['object', 'embed']` — default
+             * - `false` — disabled
+             * - `string[]` — custom list of tag names to convert
+             *
+             * ```javascript
+             * Jodit.make('#editor', {
+             *     cleanHTML: {
+             *         convertUnsafeEmbeds: Jodit.atom(['object', 'embed', 'applet'])
+             *     }
+             * });
+             * ```
+             */
+            convertUnsafeEmbeds: false | string[];
             /**
              * The allowTags option defines which elements will remain in the
              * edited text when the editor saves. You can use this limit the returned HTML.

package/types/plugins/clean-html/helpers/visitor/filters/convert-unsafe-embeds.d.ts

@@ -0,0 +1,14 @@
+/*!
+ * Jodit Editor (https://xdsoft.net/jodit/)
+ * Released under MIT see LICENSE.txt in the project root for license information.
+ * Copyright (c) 2013-2026 Valerii Chupurnov. All rights reserved. https://xdsoft.net
+ */
+/**
+ * @module plugins/clean-html
+ */
+import type { IJodit } from "../../../../../types/index";
+/**
+ * Convert `<object>` and `<embed>` elements to safer `<iframe>` elements.
+ * @private
+ */
+export declare function convertUnsafeEmbeds(jodit: IJodit, nodeElm: Node, hadEffect: boolean): boolean;

package/types/plugins/clean-html/helpers/visitor/filters/index.d.ts

@@ -10,9 +10,13 @@
  * @private
  */
 export * from "./allow-attributes";
+export * from "./convert-unsafe-embeds";
 export * from "./fill-empty-paragraph";
 export * from "./remove-empty-text-node";
 export * from "./remove-inv-text-nodes";
 export * from "./replace-old-tags";
+export * from "./safe-links-target";
+export * from "./sandbox-iframes-in-content";
 export * from "./sanitize-attributes";
+export * from "./sanitize-styles";
 export * from "./try-remove-node";

package/types/plugins/clean-html/helpers/visitor/filters/safe-links-target.d.ts

@@ -0,0 +1,14 @@
+/*!
+ * Jodit Editor (https://xdsoft.net/jodit/)
+ * Released under MIT see LICENSE.txt in the project root for license information.
+ * Copyright (c) 2013-2026 Valerii Chupurnov. All rights reserved. https://xdsoft.net
+ */
+/**
+ * @module plugins/clean-html
+ */
+import type { IJodit } from "../../../../../types/index";
+/**
+ * Automatically add `rel="noopener noreferrer"` to links with `target="_blank"`
+ * @private
+ */
+export declare function safeLinksTarget(jodit: IJodit, nodeElm: Node, hadEffect: boolean): boolean;

package/types/plugins/clean-html/helpers/visitor/filters/sandbox-iframes-in-content.d.ts

@@ -0,0 +1,14 @@
+/*!
+ * Jodit Editor (https://xdsoft.net/jodit/)
+ * Released under MIT see LICENSE.txt in the project root for license information.
+ * Copyright (c) 2013-2026 Valerii Chupurnov. All rights reserved. https://xdsoft.net
+ */
+/**
+ * @module plugins/clean-html
+ */
+import type { IJodit } from "../../../../../types/index";
+/**
+ * Add `sandbox=""` attribute to all `<iframe>` elements in the editor content
+ * @private
+ */
+export declare function sandboxIframesInContent(jodit: IJodit, nodeElm: Node, hadEffect: boolean): boolean;

package/types/plugins/clean-html/helpers/visitor/filters/sanitize-styles.d.ts

@@ -0,0 +1,14 @@
+/*!
+ * Jodit Editor (https://xdsoft.net/jodit/)
+ * Released under MIT see LICENSE.txt in the project root for license information.
+ * Copyright (c) 2013-2026 Valerii Chupurnov. All rights reserved. https://xdsoft.net
+ */
+/**
+ * @module plugins/clean-html
+ */
+import type { IJodit } from "../../../../../types/index";
+/**
+ * Filter CSS properties in style attributes based on allowedStyles whitelist
+ * @private
+ */
+export declare function sanitizeStyles(jodit: IJodit, nodeElm: Node, hadEffect: boolean): boolean;