jodit 4.12.17 → 4.12.20

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (74) hide show
  1. package/CHANGELOG.md +36 -0
  2. package/es2015/jodit.css +1 -1
  3. package/es2015/jodit.fat.min.js +7 -7
  4. package/es2015/jodit.js +338 -79
  5. package/es2015/jodit.min.js +7 -7
  6. package/es2015/plugins/debug/debug.css +1 -1
  7. package/es2015/plugins/debug/debug.js +1 -1
  8. package/es2015/plugins/debug/debug.min.js +1 -1
  9. package/es2015/plugins/speech-recognize/speech-recognize.css +1 -1
  10. package/es2015/plugins/speech-recognize/speech-recognize.js +1 -1
  11. package/es2015/plugins/speech-recognize/speech-recognize.min.js +1 -1
  12. package/es2018/jodit.fat.min.js +7 -7
  13. package/es2018/jodit.min.js +7 -7
  14. package/es2018/plugins/debug/debug.min.js +1 -1
  15. package/es2018/plugins/speech-recognize/speech-recognize.min.js +1 -1
  16. package/es2021/jodit.css +1 -1
  17. package/es2021/jodit.fat.min.js +9 -9
  18. package/es2021/jodit.js +335 -79
  19. package/es2021/jodit.min.js +9 -9
  20. package/es2021/plugins/debug/debug.css +1 -1
  21. package/es2021/plugins/debug/debug.js +1 -1
  22. package/es2021/plugins/debug/debug.min.js +1 -1
  23. package/es2021/plugins/speech-recognize/speech-recognize.css +1 -1
  24. package/es2021/plugins/speech-recognize/speech-recognize.js +1 -1
  25. package/es2021/plugins/speech-recognize/speech-recognize.min.js +1 -1
  26. package/es2021.en/jodit.css +1 -1
  27. package/es2021.en/jodit.fat.min.js +10 -10
  28. package/es2021.en/jodit.js +335 -79
  29. package/es2021.en/jodit.min.js +9 -9
  30. package/es2021.en/plugins/debug/debug.css +1 -1
  31. package/es2021.en/plugins/debug/debug.js +1 -1
  32. package/es2021.en/plugins/debug/debug.min.js +1 -1
  33. package/es2021.en/plugins/speech-recognize/speech-recognize.css +1 -1
  34. package/es2021.en/plugins/speech-recognize/speech-recognize.js +1 -1
  35. package/es2021.en/plugins/speech-recognize/speech-recognize.min.js +1 -1
  36. package/es5/jodit.css +2 -2
  37. package/es5/jodit.fat.min.js +2 -2
  38. package/es5/jodit.js +367 -85
  39. package/es5/jodit.min.css +2 -2
  40. package/es5/jodit.min.js +2 -2
  41. package/es5/plugins/debug/debug.css +1 -1
  42. package/es5/plugins/debug/debug.js +1 -1
  43. package/es5/plugins/debug/debug.min.js +1 -1
  44. package/es5/plugins/speech-recognize/speech-recognize.css +1 -1
  45. package/es5/plugins/speech-recognize/speech-recognize.js +1 -1
  46. package/es5/plugins/speech-recognize/speech-recognize.min.js +1 -1
  47. package/es5/polyfills.fat.min.js +1 -1
  48. package/es5/polyfills.js +1 -1
  49. package/es5/polyfills.min.js +1 -1
  50. package/esm/core/constants.js +1 -1
  51. package/esm/core/helpers/html/apply-styles.js +11 -0
  52. package/esm/core/helpers/html/clean-from-word.js +9 -0
  53. package/esm/core/helpers/html/safe-html.js +71 -19
  54. package/esm/core/helpers/html/strip-tags.d.ts +1 -1
  55. package/esm/core/helpers/html/strip-tags.js +7 -3
  56. package/esm/core/helpers/utils/config-proto.js +15 -0
  57. package/esm/core/helpers/utils/convert-media-url-to-video-embed.js +41 -19
  58. package/esm/jodit.js +20 -0
  59. package/esm/modules/uploader/config.js +11 -1
  60. package/esm/plugins/clean-html/helpers/visitor/filters/try-remove-node.js +8 -1
  61. package/esm/plugins/color/config.js +12 -3
  62. package/esm/plugins/drag-and-drop-element/drag-and-drop-element.d.ts +21 -0
  63. package/esm/plugins/drag-and-drop-element/drag-and-drop-element.js +48 -3
  64. package/esm/plugins/enter/enter.js +11 -6
  65. package/esm/plugins/hotkeys/config.js +1 -1
  66. package/esm/plugins/indent/config.js +20 -6
  67. package/esm/plugins/paste/paste.js +6 -1
  68. package/esm/plugins/paste-from-word/paste-from-word.js +1 -1
  69. package/esm/plugins/select/select.d.ts +8 -0
  70. package/esm/plugins/select/select.js +37 -0
  71. package/package.json +1 -1
  72. package/types/core/helpers/html/strip-tags.d.ts +1 -1
  73. package/types/plugins/drag-and-drop-element/drag-and-drop-element.d.ts +21 -0
  74. package/types/plugins/select/select.d.ts +8 -0
package/CHANGELOG.md CHANGED
@@ -9,6 +9,42 @@
9
9
  > - :house: [Internal]
10
10
  > - :nail_care: [Polish]
11
11
 
12
+ ## 4.12.19
13
+
14
+ #### :bug: Bug Fix
15
+
16
+ - **Security (stored XSS)**: the HTML sanitizer (`safeHTML`) stripped `on*` event handlers and `javascript:` links but left several executable constructs in the serialized editor value, so an application that re-rendered `editor.value` as trusted HTML could execute attacker script. It now also: drops `iframe[srcdoc]`; removes `data:text/html` / `data:application/xhtml` (and SVG `data:` URLs in `iframe`/`object`/`embed`/`frame`) sources; and strips `javascript:`/`vbscript:`/`livescript:`/`mocha:` from every URL-bearing attribute (`src`, `data`, `action`, `formaction`, `poster`, `background`, `xlink:href`), not just `<a href>`. Safe `data:image/*` sources (e.g. base64 PNG/SVG used in `<img>`) are preserved. Responsibly reported by Yuji Tounai.
17
+ - **Paste (Insert as Text)**: pasting multi-line content with the *Insert as Text* option lost its line breaks — the escaped text kept raw newlines that collapse to spaces when rendered. The *Insert as Text* path now converts newlines to `<br>` (gated on `nl2brInPlainText`, like the plain-text paste path). Fixes [#1093](https://github.com/xdan/jodit/issues/1093).
18
+ - **Hotkeys**: the default keyboard shortcut for *Insert Unordered List* (`Ctrl/Cmd+Shift+8`) never fired — both variants were written as a single comma-joined string `'ctrl+shift+8, cmd+shift+8'` instead of two separate array entries, so the combined value never matched a real keypress. Fixes [#1079](https://github.com/xdan/jodit/issues/1079).
19
+ - **Color / Brush button**: the brush (text/background color) button never reflected the color under the caret. Its `update` handler computed the current color into the icon fill but then **unconditionally** reset `icon.fill` to an empty string on every toolbar update, discarding it — which also made the icon render invisibly against some themes (`editorCssClass`). The computed fill is now kept when a color is present (and only cleared when there is none). Fixes [#195](https://github.com/xdan/jodit/issues/195) and [#182](https://github.com/xdan/jodit/issues/182).
20
+ - **Toolbar / Selection**: when a text selection was started inside the editor and the mouse button was released **outside** of the editable area (a drag-select that ends over the page), the editor never received the `mouseup` event, so the active state of toolbar buttons (Bold, Italic, etc.) was not recalculated and stayed stale. A document-level `mouseup` listener now re-fires `changeSelection` when the selection still belongs to the editor, so the toolbar updates correctly. Fixes [#1251](https://github.com/xdan/jodit/issues/1251).
21
+ - **Media embed (YouTube & Vimeo)**: real-world share URLs were not converted to an embedded player. For YouTube, short links of the form `https://youtu.be/<id>?si=…` (the *Share* button format) and `?t=` timestamp links were inserted as plain text — the video id sits in the path but was only read when there was no query string — and `/shorts/<id>` / `/live/<id>` produced a broken `embed/shorts/<id>` src. For Vimeo, `?share=copy` tracking params and `channels/<name>/<id>` / `groups/<name>/videos/<id>` URLs produced a broken `video/channels/…` src. `convertMediaUrlToVideoEmbed` now extracts the video id (and the unlisted Vimeo hash) from the URL path, ignoring tracking params and channel/group/`embed`/`shorts`/`live` prefixes, and also recognises the `m.youtube.com` (mobile) and `music.youtube.com` hosts. Fixes [#1209](https://github.com/xdan/jodit/issues/1209).
22
+ - **Indent / Lists**: the *Decrease Indent* (outdent) toolbar button stayed disabled when the cursor was inside a nested list item, even though `Shift+Tab` could un-nest it. The button's enabled state only considered an inline indent margin and ignored list nesting. It is now also enabled when the cursor sits in a list whose parent is another list item (matching the `tab` plugin's outdent behaviour). Fixes [#1247](https://github.com/xdan/jodit/issues/1247).
23
+ - **Uploader (base64)**: with `uploader.insertImageAsBase64URI = true`, dropping or pasting images in formats outside the default `imagesExtensions` list — notably `.svg`, `.bmp`, `.webp` — failed with `Need Url for Ajax Request` instead of being inlined as a data URI (the file fell through to the server-upload path). The default `imagesExtensions` now also includes `webp`, `bmp`, `svg`, `tiff` and `avif`. Fixes [#1228](https://github.com/xdan/jodit/issues/1228).
24
+ - **Paste (Insert only Text)**: pasting multi-paragraph HTML with the *Insert only Text* option collapsed everything into a single paragraph — block boundaries became spaces, so the text could no longer be split into list items or separate blocks. `stripTags` gained an opt-in `blockBr` mode and the *Insert only Text* path now uses it (gated on `nl2brInPlainText`), so paragraphs are separated by `<br>`. The default `stripTags` behaviour (space-joined single-line plain text) is unchanged. Fixes [#1232](https://github.com/xdan/jodit/issues/1232).
25
+ - **Paste from Word**: list items pasted from Microsoft Word kept their auto-generated marker text — the bullet glyph or the literal item number (`1.`, `2.`, …) leaked into the content as plain text. Word emits these markers inside `<span style="mso-list:Ignore">` elements that are explicitly flagged as display-only; both paste paths now drop those spans entirely instead of just stripping their attributes — `cleanFromWord` (the *Clean* / *As text* options) and `applyStyles` (the *Keep* / insert-as-HTML option). Fixes [#948](https://github.com/xdan/jodit/issues/948).
26
+
27
+ #### :house: Internal
28
+
29
+ - **Accessibility tests**: added a regression test asserting that a toolbar button's `aria-label` is placed on the interactive `<button>` element (not only on the wrapper `<span>`), covering the toolbar-specific case of [#1261](https://github.com/xdan/jodit/issues/1261) (already fixed in 4.9.7).
30
+ - **Color tests**: added a regression test for applying a single font color over a selection that already contains several different colors — every part of the text must be recolored, none left without a color, covering [#169](https://github.com/xdan/jodit/issues/169) (already fixed in the v4 style engine).
31
+
32
+ ## 4.12.18
33
+
34
+ #### :rocket: New Feature
35
+
36
+ - **Drag and drop element**: added a `startDragElement` event so another plugin can begin dragging a specific element programmatically — e.g. from a dedicated drag handle/anchor shown next to a block. Fire `editor.e.fire('startDragElement', element, mouseEvent)`; the element does **not** need to be listed in `draggableTags` (the listener is registered even when that list is empty), so handles can move elements such as `<pre>` code blocks that are not auto-draggable.
37
+
38
+ #### :bug: Bug Fix
39
+
40
+ - **Formatting / Selection**: toggling Bold/Italic/Underline (etc.) on a collapsed cursor and then clicking in the editor lost one or more of the pending formats. The click placed the caret just before the empty marker elements, so `clean-html` removed them. The caret is now moved back into the innermost pending marker on click, and `clean-html` keeps empty inline elements that hold the live caret, so the next typed character keeps every format. Fixes [#1291](https://github.com/xdan/jodit/issues/1291).
41
+ - **History / Enter**: pressing Enter while a selection was active (e.g. Ctrl+A then Enter) required two Ctrl+Z presses to undo — the first only reverted to an intermediate empty state. The delete-of-selection and the new block are now a single history transaction, so one undo restores the original content. Fixes [#1292](https://github.com/xdan/jodit/issues/1292).
42
+ - **Security / Config (prototype pollution)**: `Jodit.configure()` — and the internal `ConfigMerge`/`ConfigProto` helpers — merged user-supplied options without filtering prototype-mutating keys, so a payload nested under an existing plain-object option such as `controls` (e.g. `{"controls":{"__proto__":{"polluted":"yes"}}}`) could reach and mutate `Object.prototype` (CWE-1321). Merging now rejects `__proto__`, `constructor`, and `prototype` at every nesting level. Responsibly reported by Junming Wu.
43
+
44
+ #### :nail_care: Polish
45
+
46
+ - **Drag and drop element**: dropping a non-editable block (e.g. a `<pre>` code sample) no longer leaves an invisible filler text node (``) next to it. Previously this stray node showed up as an extra empty line until `clean-html` removed it later; it is now stripped in `onDrop` right after insertion.
47
+
12
48
  ## 4.12.17
13
49
 
14
50
  #### :bug: Bug Fix
package/es2015/jodit.css CHANGED
@@ -1,7 +1,7 @@
1
1
  /*!
2
2
  * jodit - Jodit is an awesome and useful wysiwyg editor with filebrowser
3
3
  * Author: Chupurnov <chupurnov@gmail.com> (https://xdsoft.net/jodit/)
4
- * Version: v4.12.17
4
+ * Version: v4.12.20
5
5
  * Url: https://xdsoft.net/jodit/
6
6
  * License(s): MIT
7
7
  */