jodit 4.10.3 → 4.11.3

package/es5/plugins/debug/debug.css

@@ -1,7 +1,7 @@
 /*!
  * jodit - Jodit is an awesome and useful wysiwyg editor with filebrowser
  * Author: Chupurnov <chupurnov@gmail.com> (https://xdsoft.net/jodit/)
- * Version: v4.10.3
+ * Version: v4.11.3
  * Url: https://xdsoft.net/jodit/
  * License(s): MIT
  */

package/es5/plugins/debug/debug.js

@@ -1,7 +1,7 @@
 /*!
  * jodit - Jodit is an awesome and useful wysiwyg editor with filebrowser
  * Author: Chupurnov <chupurnov@gmail.com> (https://xdsoft.net/jodit/)
- * Version: v4.10.3
+ * Version: v4.11.3
  * Url: https://xdsoft.net/jodit/
  * License(s): MIT
  */

package/es5/plugins/debug/debug.min.js

@@ -1,7 +1,7 @@
 /*!
  * jodit - Jodit is an awesome and useful wysiwyg editor with filebrowser
  * Author: Chupurnov <chupurnov@gmail.com> (https://xdsoft.net/jodit/)
- * Version: v4.10.3
+ * Version: v4.11.3
  * Url: https://xdsoft.net/jodit/
  * License(s): MIT
  */

package/es5/plugins/speech-recognize/speech-recognize.css

@@ -1,7 +1,7 @@
 /*!
  * jodit - Jodit is an awesome and useful wysiwyg editor with filebrowser
  * Author: Chupurnov <chupurnov@gmail.com> (https://xdsoft.net/jodit/)
- * Version: v4.10.3
+ * Version: v4.11.3
  * Url: https://xdsoft.net/jodit/
  * License(s): MIT
  */

package/es5/plugins/speech-recognize/speech-recognize.js

@@ -1,7 +1,7 @@
 /*!
  * jodit - Jodit is an awesome and useful wysiwyg editor with filebrowser
  * Author: Chupurnov <chupurnov@gmail.com> (https://xdsoft.net/jodit/)
- * Version: v4.10.3
+ * Version: v4.11.3
  * Url: https://xdsoft.net/jodit/
  * License(s): MIT
  */

package/es5/plugins/speech-recognize/speech-recognize.min.js

@@ -1,7 +1,7 @@
 /*!
  * jodit - Jodit is an awesome and useful wysiwyg editor with filebrowser
  * Author: Chupurnov <chupurnov@gmail.com> (https://xdsoft.net/jodit/)
- * Version: v4.10.3
+ * Version: v4.11.3
  * Url: https://xdsoft.net/jodit/
  * License(s): MIT
  */

package/es5/polyfills.fat.min.js

@@ -1,7 +1,7 @@
 /*!
  * jodit - Jodit is an awesome and useful wysiwyg editor with filebrowser
  * Author: Chupurnov <chupurnov@gmail.com> (https://xdsoft.net/jodit/)
- * Version: v4.10.3
+ * Version: v4.11.3
  * Url: https://xdsoft.net/jodit/
  * License(s): MIT
  */

package/es5/polyfills.js

@@ -1,7 +1,7 @@
 /*!
  * jodit - Jodit is an awesome and useful wysiwyg editor with filebrowser
  * Author: Chupurnov <chupurnov@gmail.com> (https://xdsoft.net/jodit/)
- * Version: v4.10.3
+ * Version: v4.11.3
  * Url: https://xdsoft.net/jodit/
  * License(s): MIT
  */

package/es5/polyfills.min.js

@@ -1,7 +1,7 @@
 /*!
  * jodit - Jodit is an awesome and useful wysiwyg editor with filebrowser
  * Author: Chupurnov <chupurnov@gmail.com> (https://xdsoft.net/jodit/)
- * Version: v4.10.3
+ * Version: v4.11.3
  * Url: https://xdsoft.net/jodit/
  * License(s): MIT
  */

package/esm/config.d.ts

@@ -947,13 +947,98 @@ interface Config {
          */
         useIframeSandbox: boolean;
         /**
+         * @deprecated Use `removeEventAttributes` instead
          * Remove onError attributes
          */
         removeOnError: boolean;
+        /**
+         * Remove all `on*` event handler attributes (onerror, onclick, onload, onmouseover, etc.)
+         * When enabled, this replaces the legacy `removeOnError` behavior with comprehensive protection.
+         *
+         * ```javascript
+         * Jodit.make('#editor', {
+         * 	 cleanHTML: {
+         * 	 	 removeEventAttributes: true
+         * 	 }
+         * });
+         * ```
+         */
+        removeEventAttributes: boolean;
         /**
          * Safe href="javascript:" links
          */
         safeJavaScriptLink: boolean;
+        /**
+         * Automatically add `rel="noopener noreferrer"` to links with `target="_blank"`
+         *
+         * ```javascript
+         * Jodit.make('#editor', {
+         * 	 cleanHTML: {
+         * 	 	 safeLinksTarget: true
+         * 	 }
+         * });
+         * ```
+         */
+        safeLinksTarget: boolean;
+        /**
+         * Whitelist of allowed CSS properties inside `style` attributes.
+         * If set, all CSS properties not in the list will be removed.
+         *
+         * ```javascript
+         * Jodit.make('#editor', {
+         *     cleanHTML: {
+         *         allowedStyles: {
+         *             '*': ['color', 'background-color', 'font-size', 'text-align'],
+         *             img: ['width', 'height']
+         *         }
+         *     }
+         * });
+         * ```
+         */
+        allowedStyles: false | IDictionary<string[]>;
+        /**
+         * Custom sanitizer function. Called after Jodit's built-in sanitization.
+         * Use this to integrate DOMPurify or other external sanitizers.
+         *
+         * ```javascript
+         * import DOMPurify from 'dompurify';
+         *
+         * Jodit.make('#editor', {
+         *     cleanHTML: {
+         *         sanitizer: (html) => DOMPurify.sanitize(html)
+         *     }
+         * });
+         * ```
+         */
+        sanitizer: false | ((value: string) => string);
+        /**
+         * Automatically add `sandbox=""` attribute to all `<iframe>` elements in editor content.
+         * Prevents embedded content from running scripts or accessing the parent page.
+         *
+         * ```javascript
+         * Jodit.make('#editor', {
+         *     cleanHTML: {
+         *         sandboxIframesInContent: true
+         *     }
+         * });
+         * ```
+         */
+        sandboxIframesInContent: boolean;
+        /**
+         * Convert unsafe embed elements to sandboxed `<iframe>`.
+         * - `['object', 'embed']` — default
+         * - `false` — disabled
+         * - `string[]` — custom list of tag names to convert
+         *
+         * ```javascript
+         * Jodit.make('#editor', {
+         *     cleanHTML: {
+         *         convertUnsafeEmbeds: Jodit.atom(['object', 'embed', 'applet'])
+         *     }
+         * });
+         * ```
+         */
+        convertUnsafeEmbeds: false | string[];
         /**
          * The allowTags option defines which elements will remain in the
          * edited text when the editor saves. You can use this limit the returned HTML.

package/esm/core/constants.js

@@ -3,7 +3,7 @@
  * Released under MIT see LICENSE.txt in the project root for license information.
  * Copyright (c) 2013-2026 Valerii Chupurnov. All rights reserved. https://xdsoft.net
  */
-export const APP_VERSION = "4.10.3";
+export const APP_VERSION = "4.11.3";
 // prettier-ignore
 export const ES = "es2020";
 export const IS_ES_MODERN = true;

package/esm/core/dom/dom.d.ts

@@ -52,6 +52,7 @@ export declare class Dom {
      */
     static replace<T extends HTMLElement>(elm: Node, newTagName: HTMLTagNames): T;
     static replace<T extends HTMLElement>(elm: Node, newTagName: HTMLTagNames, create: ICreate, withAttributes?: boolean, notMoveContent?: boolean): T;
+    static replace<T extends Node>(elm: Node, newTagName: T): T;
     static replace<T extends Node>(elm: Node, newTagName: T | string, create?: ICreate, withAttributes?: boolean, notMoveContent?: boolean): T;
     /**
      * Checks whether the Node text and blank (in this case it may contain invisible auxiliary characters ,

package/esm/core/helpers/html/safe-html.d.ts

@@ -3,13 +3,14 @@
  * Released under MIT see LICENSE.txt in the project root for license information.
  * Copyright (c) 2013-2026 Valerii Chupurnov. All rights reserved. https://xdsoft.net
  */
-type safeOptions = {
+export type safeOptions = {
     removeOnError: boolean;
     safeJavaScriptLink: boolean;
+    removeEventAttributes?: boolean;
+    safeLinksTarget?: boolean;
 };
 /**
  * Removes dangerous constructs from HTML
  */
 export declare function safeHTML(box: HTMLElement | DocumentFragment, options: safeOptions): void;
 export declare function sanitizeHTMLElement(elm: Element | DocumentFragment, { safeJavaScriptLink, removeOnError }?: safeOptions): boolean;
-export {};

package/esm/core/helpers/html/safe-html.js

@@ -12,17 +12,56 @@ import { $$, attr } from "../utils/index.js";
  * Removes dangerous constructs from HTML
  */
 export function safeHTML(box, options) {
+    var _a;
     if (!Dom.isElement(box) && !Dom.isFragment(box)) {
         return;
     }
-    if (options.removeOnError) {
-        sanitizeHTMLElement(box);
+    const removeEvents = (_a = options.removeEventAttributes) !== null && _a !== void 0 ? _a : options.removeOnError;
+    if (removeEvents) {
+        removeAllEventAttributes(box);
+        $$('*', box).forEach(elm => removeAllEventAttributes(elm));
+    }
+    else if (options.removeOnError) {
+        sanitizeHTMLElement(box, options);
         $$('[onerror]', box).forEach(elm => sanitizeHTMLElement(elm, options));
     }
     if (options.safeJavaScriptLink) {
-        sanitizeHTMLElement(box);
+        sanitizeHTMLElement(box, options);
         $$('a[href^="javascript"]', box).forEach(elm => sanitizeHTMLElement(elm, options));
     }
+    if (options.safeLinksTarget) {
+        $$('a[target="_blank"]', box).forEach(elm => {
+            const rel = elm.getAttribute('rel') || '';
+            const parts = rel.split(/\s+/).filter(Boolean);
+            if (!parts.includes('noopener')) {
+                parts.push('noopener');
+            }
+            if (!parts.includes('noreferrer')) {
+                parts.push('noreferrer');
+            }
+            attr(elm, 'rel', parts.join(' '));
+        });
+    }
+}
+/**
+ * Remove all on* event handler attributes from an element
+ */
+function removeAllEventAttributes(elm) {
+    if (!Dom.isElement(elm)) {
+        return false;
+    }
+    let effected = false;
+    const toRemove = [];
+    for (let i = 0; i < elm.attributes.length; i++) {
+        if (elm.attributes[i].name.toLowerCase().startsWith('on')) {
+            toRemove.push(elm.attributes[i].name);
+        }
+    }
+    for (const name of toRemove) {
+        elm.removeAttribute(name);
+        effected = true;
+    }
+    return effected;
 }
 export function sanitizeHTMLElement(elm, { safeJavaScriptLink, removeOnError } = {
     safeJavaScriptLink: true,

package/esm/plugins/clean-html/clean-html.js

@@ -95,6 +95,10 @@ export class cleanHtml extends Plugin {
         return false;
     }
     onSafeHTML(sandBox) {
+        const sanitizer = this.j.o.cleanHTML.sanitizer;
+        if (sanitizer) {
+            sandBox.innerHTML = sanitizer(sandBox.innerHTML);
+        }
         safeHTML(sandBox, this.j.o.cleanHTML);
     }
     /** @override */

package/esm/plugins/clean-html/config.d.ts

@@ -41,13 +41,98 @@ declare module 'jodit/config' {
              */
             useIframeSandbox: boolean;
             /**
+             * @deprecated Use `removeEventAttributes` instead
              * Remove onError attributes
              */
             removeOnError: boolean;
+            /**
+             * Remove all `on*` event handler attributes (onerror, onclick, onload, onmouseover, etc.)
+             * When enabled, this replaces the legacy `removeOnError` behavior with comprehensive protection.
+             *
+             * ```javascript
+             * Jodit.make('#editor', {
+             * 	 cleanHTML: {
+             * 	 	 removeEventAttributes: true
+             * 	 }
+             * });
+             * ```
+             */
+            removeEventAttributes: boolean;
             /**
              * Safe href="javascript:" links
              */
             safeJavaScriptLink: boolean;
+            /**
+             * Automatically add `rel="noopener noreferrer"` to links with `target="_blank"`
+             *
+             * ```javascript
+             * Jodit.make('#editor', {
+             * 	 cleanHTML: {
+             * 	 	 safeLinksTarget: true
+             * 	 }
+             * });
+             * ```
+             */
+            safeLinksTarget: boolean;
+            /**
+             * Whitelist of allowed CSS properties inside `style` attributes.
+             * If set, all CSS properties not in the list will be removed.
+             *
+             * ```javascript
+             * Jodit.make('#editor', {
+             *     cleanHTML: {
+             *         allowedStyles: {
+             *             '*': ['color', 'background-color', 'font-size', 'text-align'],
+             *             img: ['width', 'height']
+             *         }
+             *     }
+             * });
+             * ```
+             */
+            allowedStyles: false | IDictionary<string[]>;
+            /**
+             * Custom sanitizer function. Called after Jodit's built-in sanitization.
+             * Use this to integrate DOMPurify or other external sanitizers.
+             *
+             * ```javascript
+             * import DOMPurify from 'dompurify';
+             *
+             * Jodit.make('#editor', {
+             *     cleanHTML: {
+             *         sanitizer: (html) => DOMPurify.sanitize(html)
+             *     }
+             * });
+             * ```
+             */
+            sanitizer: false | ((value: string) => string);
+            /**
+             * Automatically add `sandbox=""` attribute to all `<iframe>` elements in editor content.
+             * Prevents embedded content from running scripts or accessing the parent page.
+             *
+             * ```javascript
+             * Jodit.make('#editor', {
+             *     cleanHTML: {
+             *         sandboxIframesInContent: true
+             *     }
+             * });
+             * ```
+             */
+            sandboxIframesInContent: boolean;
+            /**
+             * Convert unsafe embed elements to sandboxed `<iframe>`.
+             * - `['object', 'embed']` — default
+             * - `false` — disabled
+             * - `string[]` — custom list of tag names to convert
+             *
+             * ```javascript
+             * Jodit.make('#editor', {
+             *     cleanHTML: {
+             *         convertUnsafeEmbeds: Jodit.atom(['object', 'embed', 'applet'])
+             *     }
+             * });
+             * ```
+             */
+            convertUnsafeEmbeds: false | string[];
             /**
              * The allowTags option defines which elements will remain in the
              * edited text when the editor saves. You can use this limit the returned HTML.

package/esm/plugins/clean-html/config.js

@@ -16,10 +16,16 @@ Config.prototype.cleanHTML = {
         b: 'strong'
     },
     allowTags: false,
-    denyTags: 'script',
+    denyTags: 'script,iframe,object,embed',
     useIframeSandbox: false,
     removeOnError: true,
+    removeEventAttributes: true,
     safeJavaScriptLink: true,
+    safeLinksTarget: true,
+    allowedStyles: false,
+    sanitizer: false,
+    sandboxIframesInContent: true,
+    convertUnsafeEmbeds: ['object', 'embed'],
     disableCleanFilter: null
 };
 Config.prototype.controls.eraser = {

package/esm/plugins/clean-html/helpers/visitor/filters/convert-unsafe-embeds.d.ts

@@ -0,0 +1,14 @@
+/*!
+ * Jodit Editor (https://xdsoft.net/jodit/)
+ * Released under MIT see LICENSE.txt in the project root for license information.
+ * Copyright (c) 2013-2026 Valerii Chupurnov. All rights reserved. https://xdsoft.net
+ */
+/**
+ * @module plugins/clean-html
+ */
+import type { IJodit } from "../../../../../types/index";
+/**
+ * Convert `<object>` and `<embed>` elements to safer `<iframe>` elements.
+ * @private
+ */
+export declare function convertUnsafeEmbeds(jodit: IJodit, nodeElm: Node, hadEffect: boolean): boolean;

package/esm/plugins/clean-html/helpers/visitor/filters/convert-unsafe-embeds.js

@@ -0,0 +1,37 @@
+/*!
+ * Jodit Editor (https://xdsoft.net/jodit/)
+ * Released under MIT see LICENSE.txt in the project root for license information.
+ * Copyright (c) 2013-2026 Valerii Chupurnov. All rights reserved. https://xdsoft.net
+ */
+import { Dom } from "../../../../../core/dom/dom.js";
+import { attr } from "../../../../../core/helpers/utils/attr.js";
+/**
+ * Convert `<object>` and `<embed>` elements to safer `<iframe>` elements.
+ * @private
+ */
+export function convertUnsafeEmbeds(jodit, nodeElm, hadEffect) {
+    const opt = jodit.o.cleanHTML.convertUnsafeEmbeds;
+    if (!opt || !Dom.isElement(nodeElm)) {
+        return hadEffect;
+    }
+    const tag = nodeElm.nodeName.toLowerCase();
+    if (!opt.includes(tag)) {
+        return hadEffect;
+    }
+    const elm = nodeElm;
+    const src = attr(elm, 'data') || attr(elm, 'src') || attr(elm, 'movie') || '';
+    if (!src) {
+        Dom.safeRemove(elm);
+        return true;
+    }
+    const iframe = jodit.createInside.element('iframe');
+    attr(iframe, {
+        src,
+        sandbox: '',
+        frameborder: '0',
+        width: attr(elm, 'width'),
+        height: attr(elm, 'height')
+    });
+    Dom.replace(elm, iframe, undefined, false, true);
+    return true;
+}

package/esm/plugins/clean-html/helpers/visitor/filters/index.d.ts

@@ -10,9 +10,13 @@
  * @private
  */
 export * from "./allow-attributes";
+export * from "./convert-unsafe-embeds";
 export * from "./fill-empty-paragraph";
 export * from "./remove-empty-text-node";
 export * from "./remove-inv-text-nodes";
 export * from "./replace-old-tags";
+export * from "./safe-links-target";
+export * from "./sandbox-iframes-in-content";
 export * from "./sanitize-attributes";
+export * from "./sanitize-styles";
 export * from "./try-remove-node";

package/esm/plugins/clean-html/helpers/visitor/filters/index.js

@@ -10,9 +10,13 @@
  * @private
  */
 export * from "./allow-attributes.js";
+export * from "./convert-unsafe-embeds.js";
 export * from "./fill-empty-paragraph.js";
 export * from "./remove-empty-text-node.js";
 export * from "./remove-inv-text-nodes.js";
 export * from "./replace-old-tags.js";
+export * from "./safe-links-target.js";
+export * from "./sandbox-iframes-in-content.js";
 export * from "./sanitize-attributes.js";
+export * from "./sanitize-styles.js";
 export * from "./try-remove-node.js";

package/esm/plugins/clean-html/helpers/visitor/filters/safe-links-target.d.ts

@@ -0,0 +1,14 @@
+/*!
+ * Jodit Editor (https://xdsoft.net/jodit/)
+ * Released under MIT see LICENSE.txt in the project root for license information.
+ * Copyright (c) 2013-2026 Valerii Chupurnov. All rights reserved. https://xdsoft.net
+ */
+/**
+ * @module plugins/clean-html
+ */
+import type { IJodit } from "../../../../../types/index";
+/**
+ * Automatically add `rel="noopener noreferrer"` to links with `target="_blank"`
+ * @private
+ */
+export declare function safeLinksTarget(jodit: IJodit, nodeElm: Node, hadEffect: boolean): boolean;

package/esm/plugins/clean-html/helpers/visitor/filters/safe-links-target.js

@@ -0,0 +1,38 @@
+/*!
+ * Jodit Editor (https://xdsoft.net/jodit/)
+ * Released under MIT see LICENSE.txt in the project root for license information.
+ * Copyright (c) 2013-2026 Valerii Chupurnov. All rights reserved. https://xdsoft.net
+ */
+import { Dom } from "../../../../../core/dom/dom.js";
+import { attr } from "../../../../../core/helpers/utils/attr.js";
+/**
+ * Automatically add `rel="noopener noreferrer"` to links with `target="_blank"`
+ * @private
+ */
+export function safeLinksTarget(jodit, nodeElm, hadEffect) {
+    if (!jodit.o.cleanHTML.safeLinksTarget ||
+        !Dom.isElement(nodeElm) ||
+        nodeElm.nodeName !== 'A') {
+        return hadEffect;
+    }
+    const elm = nodeElm;
+    if (attr(elm, 'target') !== '_blank') {
+        return hadEffect;
+    }
+    const rel = attr(elm, 'rel') || '';
+    const parts = rel.split(/\s+/).filter(Boolean);
+    let changed = false;
+    if (!parts.includes('noopener')) {
+        parts.push('noopener');
+        changed = true;
+    }
+    if (!parts.includes('noreferrer')) {
+        parts.push('noreferrer');
+        changed = true;
+    }
+    if (changed) {
+        attr(elm, 'rel', parts.join(' '));
+        return true;
+    }
+    return hadEffect;
+}

package/esm/plugins/clean-html/helpers/visitor/filters/sandbox-iframes-in-content.d.ts

@@ -0,0 +1,14 @@
+/*!
+ * Jodit Editor (https://xdsoft.net/jodit/)
+ * Released under MIT see LICENSE.txt in the project root for license information.
+ * Copyright (c) 2013-2026 Valerii Chupurnov. All rights reserved. https://xdsoft.net
+ */
+/**
+ * @module plugins/clean-html
+ */
+import type { IJodit } from "../../../../../types/index";
+/**
+ * Add `sandbox=""` attribute to all `<iframe>` elements in the editor content
+ * @private
+ */
+export declare function sandboxIframesInContent(jodit: IJodit, nodeElm: Node, hadEffect: boolean): boolean;

package/esm/plugins/clean-html/helpers/visitor/filters/sandbox-iframes-in-content.js

@@ -0,0 +1,24 @@
+/*!
+ * Jodit Editor (https://xdsoft.net/jodit/)
+ * Released under MIT see LICENSE.txt in the project root for license information.
+ * Copyright (c) 2013-2026 Valerii Chupurnov. All rights reserved. https://xdsoft.net
+ */
+import { Dom } from "../../../../../core/dom/dom.js";
+import { attr } from "../../../../../core/helpers/utils/attr.js";
+/**
+ * Add `sandbox=""` attribute to all `<iframe>` elements in the editor content
+ * @private
+ */
+export function sandboxIframesInContent(jodit, nodeElm, hadEffect) {
+    if (!jodit.o.cleanHTML.sandboxIframesInContent ||
+        !Dom.isElement(nodeElm) ||
+        nodeElm.nodeName !== 'IFRAME') {
+        return hadEffect;
+    }
+    const elm = nodeElm;
+    if (!elm.hasAttribute('sandbox')) {
+        attr(elm, 'sandbox', '');
+        return true;
+    }
+    return hadEffect;
+}

package/esm/plugins/clean-html/helpers/visitor/filters/sanitize-attributes.js

@@ -9,11 +9,16 @@ import { sanitizeHTMLElement } from "../../../../../core/helpers/index.js";
  * @private
  */
 export function sanitizeAttributes(jodit, nodeElm, hadEffect) {
-    if (Dom.isElement(nodeElm) &&
-        sanitizeHTMLElement(nodeElm, {
-            safeJavaScriptLink: jodit.options.cleanHTML.safeJavaScriptLink,
-            removeOnError: jodit.options.cleanHTML.removeOnError
-        })) {
+    if (!Dom.isElement(nodeElm)) {
+        return hadEffect;
+    }
+    const opts = jodit.options.cleanHTML;
+    if (sanitizeHTMLElement(nodeElm, {
+        safeJavaScriptLink: opts.safeJavaScriptLink,
+        removeOnError: opts.removeOnError,
+        removeEventAttributes: opts.removeEventAttributes,
+        safeLinksTarget: opts.safeLinksTarget
+    })) {
         return true;
     }
     return hadEffect;

package/esm/plugins/clean-html/helpers/visitor/filters/sanitize-styles.d.ts

@@ -0,0 +1,14 @@
+/*!
+ * Jodit Editor (https://xdsoft.net/jodit/)
+ * Released under MIT see LICENSE.txt in the project root for license information.
+ * Copyright (c) 2013-2026 Valerii Chupurnov. All rights reserved. https://xdsoft.net
+ */
+/**
+ * @module plugins/clean-html
+ */
+import type { IJodit } from "../../../../../types/index";
+/**
+ * Filter CSS properties in style attributes based on allowedStyles whitelist
+ * @private
+ */
+export declare function sanitizeStyles(jodit: IJodit, nodeElm: Node, hadEffect: boolean): boolean;