jodit 4.12.17 → 4.12.20

package/es5/plugins/debug/debug.css

@@ -1,7 +1,7 @@
 /*!
  * jodit - Jodit is an awesome and useful wysiwyg editor with filebrowser
  * Author: Chupurnov <chupurnov@gmail.com> (https://xdsoft.net/jodit/)
- * Version: v4.12.17
+ * Version: v4.12.20
  * Url: https://xdsoft.net/jodit/
  * License(s): MIT
  */

package/es5/plugins/debug/debug.js

@@ -1,7 +1,7 @@
 /*!
  * jodit - Jodit is an awesome and useful wysiwyg editor with filebrowser
  * Author: Chupurnov <chupurnov@gmail.com> (https://xdsoft.net/jodit/)
- * Version: v4.12.17
+ * Version: v4.12.20
  * Url: https://xdsoft.net/jodit/
  * License(s): MIT
  */

package/es5/plugins/debug/debug.min.js

@@ -1,7 +1,7 @@
 /*!
  * jodit - Jodit is an awesome and useful wysiwyg editor with filebrowser
  * Author: Chupurnov <chupurnov@gmail.com> (https://xdsoft.net/jodit/)
- * Version: v4.12.17
+ * Version: v4.12.20
  * Url: https://xdsoft.net/jodit/
  * License(s): MIT
  */

package/es5/plugins/speech-recognize/speech-recognize.css

@@ -1,7 +1,7 @@
 /*!
  * jodit - Jodit is an awesome and useful wysiwyg editor with filebrowser
  * Author: Chupurnov <chupurnov@gmail.com> (https://xdsoft.net/jodit/)
- * Version: v4.12.17
+ * Version: v4.12.20
  * Url: https://xdsoft.net/jodit/
  * License(s): MIT
  */

package/es5/plugins/speech-recognize/speech-recognize.js

@@ -1,7 +1,7 @@
 /*!
  * jodit - Jodit is an awesome and useful wysiwyg editor with filebrowser
  * Author: Chupurnov <chupurnov@gmail.com> (https://xdsoft.net/jodit/)
- * Version: v4.12.17
+ * Version: v4.12.20
  * Url: https://xdsoft.net/jodit/
  * License(s): MIT
  */

package/es5/plugins/speech-recognize/speech-recognize.min.js

@@ -1,7 +1,7 @@
 /*!
  * jodit - Jodit is an awesome and useful wysiwyg editor with filebrowser
  * Author: Chupurnov <chupurnov@gmail.com> (https://xdsoft.net/jodit/)
- * Version: v4.12.17
+ * Version: v4.12.20
  * Url: https://xdsoft.net/jodit/
  * License(s): MIT
  */

package/es5/polyfills.fat.min.js

@@ -1,7 +1,7 @@
 /*!
  * jodit - Jodit is an awesome and useful wysiwyg editor with filebrowser
  * Author: Chupurnov <chupurnov@gmail.com> (https://xdsoft.net/jodit/)
- * Version: v4.12.17
+ * Version: v4.12.20
  * Url: https://xdsoft.net/jodit/
  * License(s): MIT
  */

package/es5/polyfills.js

@@ -1,7 +1,7 @@
 /*!
  * jodit - Jodit is an awesome and useful wysiwyg editor with filebrowser
  * Author: Chupurnov <chupurnov@gmail.com> (https://xdsoft.net/jodit/)
- * Version: v4.12.17
+ * Version: v4.12.20
  * Url: https://xdsoft.net/jodit/
  * License(s): MIT
  */

package/es5/polyfills.min.js

@@ -1,7 +1,7 @@
 /*!
  * jodit - Jodit is an awesome and useful wysiwyg editor with filebrowser
  * Author: Chupurnov <chupurnov@gmail.com> (https://xdsoft.net/jodit/)
- * Version: v4.12.17
+ * Version: v4.12.20
  * Url: https://xdsoft.net/jodit/
  * License(s): MIT
  */

package/esm/core/constants.js

@@ -3,7 +3,7 @@
  * Released under MIT see LICENSE.txt in the project root for license information.
  * Copyright (c) 2013-2026 Valerii Chupurnov. All rights reserved. https://xdsoft.net
  */
-export const APP_VERSION = "4.12.17";
+export const APP_VERSION = "4.12.20";
 // prettier-ignore
 export const ES = "es2020";
 export const IS_ES_MODERN = true;

package/esm/core/helpers/html/apply-styles.js

@@ -47,6 +47,17 @@ export function applyStyles(html) {
             iframeDoc.open();
             iframeDoc.write(html);
             iframeDoc.close();
+            // Word marks its auto-generated list markers (the literal
+            // bullet/number, e.g. `1.` or `·`) with `mso-list:Ignore`.
+            // They are display-only and must not be imported, otherwise
+            // the marker text leaks into the content. Drop them before any
+            // style normalization strips the `mso-list` hint. See #948
+            Dom.each(iframeDoc.body, (node) => {
+                if (Dom.isElement(node) &&
+                    /mso-list:\s*ignore/i.test(node.getAttribute('style') || '')) {
+                    Dom.safeRemove(node);
+                }
+            });
             try {
                 for (let i = 0; i < iframeDoc.styleSheets.length; i += 1) {
                     const rules = iframeDoc.styleSheets[i].cssRules;

package/esm/core/helpers/html/clean-from-word.js

@@ -43,6 +43,15 @@ export function cleanFromWord(html) {
                                 Dom.unwrap(node);
                                 break;
                             default:
+                                // Word marks its auto-generated list markers
+                                // (the literal bullet/number, e.g. `1.` or `·`)
+                                // with `mso-list:Ignore`. They are display-only
+                                // and must not be imported, otherwise the marker
+                                // text leaks into the content. See #948
+                                if (/mso-list:\s*ignore/i.test(node.getAttribute('style') || '')) {
+                                    marks.push(node);
+                                    break;
+                                }
                                 toArray(node.attributes).forEach((attr) => {
                                     if ([
                                         'src',

package/esm/core/helpers/html/safe-html.js

@@ -7,7 +7,7 @@
  * @module helpers/html
  */
 import { Dom } from "../../dom/dom.js";
-import { $$, attr } from "../utils/index.js";
+import { attr } from "../utils/index.js";
 /**
  * Removes dangerous constructs from HTML
  */
@@ -17,21 +17,22 @@ export function safeHTML(box, options) {
         return;
     }
     const removeEvents = (_a = options.removeEventAttributes) !== null && _a !== void 0 ? _a : options.removeOnError;
-    if (removeEvents) {
-        removeAllEventAttributes(box);
-        $$('*', box).forEach(elm => removeAllEventAttributes(elm));
-    }
-    else if (options.removeOnError) {
-        sanitizeHTMLElement(box, options);
-        $$('[onerror]', box).forEach(elm => sanitizeHTMLElement(elm, options));
-    }
-    if (options.safeJavaScriptLink) {
-        sanitizeHTMLElement(box, options);
-        $$('a[href^="javascript"]', box).forEach(elm => sanitizeHTMLElement(elm, options));
-    }
-    if (options.safeLinksTarget) {
-        $$('a[target="_blank"]', box).forEach(elm => {
-            const rel = elm.getAttribute('rel') || '';
+    // Single synchronous traversal of the subtree. Besides removing event
+    // handlers and `javascript:` links, `sanitizeHTMLElement` neutralises
+    // executable `iframe[srcdoc]`, `data:text/html` / SVG `data:` document
+    // sources and dangerous schemes in every URL-bearing attribute.
+    const process = (node) => {
+        if (!Dom.isElement(node)) {
+            return;
+        }
+        if (removeEvents) {
+            removeAllEventAttributes(node);
+        }
+        sanitizeHTMLElement(node, options);
+        if (options.safeLinksTarget &&
+            node.nodeName === 'A' &&
+            node.getAttribute('target') === '_blank') {
+            const rel = node.getAttribute('rel') || '';
             const parts = rel.split(/\s+/).filter(Boolean);
             if (!parts.includes('noopener')) {
                 parts.push('noopener');
@@ -39,9 +40,11 @@ export function safeHTML(box, options) {
             if (!parts.includes('noreferrer')) {
                 parts.push('noreferrer');
             }
-            attr(elm, 'rel', parts.join(' '));
-        });
-    }
+            attr(node, 'rel', parts.join(' '));
+        }
+    };
+    process(box);
+    Dom.each(box, process);
 }
 /**
  * Remove all on* event handler attributes from an element
@@ -63,6 +66,39 @@ function removeAllEventAttributes(elm) {
     }
     return effected;
 }
+/**
+ * URL-bearing attributes (besides `href`) that can load or execute content.
+ */
+const URL_ATTRIBUTES = [
+    'src',
+    'data',
+    'action',
+    'formaction',
+    'poster',
+    'background',
+    'xlink:href'
+];
+/**
+ * Tags that load their URL as a *document* (scripts inside run). An SVG data
+ * URL is only an XSS vector here — as an `<img>` source it renders inertly.
+ */
+const DOCUMENT_EMBED_TAGS = new Set(['iframe', 'frame', 'object', 'embed']);
+/**
+ * Detects executable / script-bearing URL schemes. The attribute value is
+ * already HTML-entity-decoded by `getAttribute`, so only whitespace and
+ * control characters (which browsers ignore inside a scheme) need stripping.
+ */
+function isDangerousUrl(value, tagName) {
+    // eslint-disable-next-line no-control-regex
+    const normalized = value.replace(/[\u0000-\u0020]+/g, '').toLowerCase();
+    if (/^(?:javascript|vbscript|livescript|mocha):/.test(normalized)) {
+        return true;
+    }
+    if (/^data:(?:text\/html|application\/xhtml)/.test(normalized)) {
+        return true;
+    }
+    return (/^data:image\/svg/.test(normalized) && DOCUMENT_EMBED_TAGS.has(tagName));
+}
 export function sanitizeHTMLElement(elm, { safeJavaScriptLink, removeOnError } = {
     safeJavaScriptLink: true,
     removeOnError: true
@@ -80,5 +116,21 @@ export function sanitizeHTMLElement(elm, { safeJavaScriptLink, removeOnError } =
         attr(elm, 'href', location.protocol + '//' + href);
         effected = true;
     }
+    if (safeJavaScriptLink) {
+        // `srcdoc` runs its content as a full HTML document — drop it entirely.
+        if (elm.hasAttribute('srcdoc')) {
+            attr(elm, 'srcdoc', null);
+            effected = true;
+        }
+        // Strip executable schemes from any other URL-bearing attribute.
+        const tagName = elm.nodeName.toLowerCase();
+        for (const name of URL_ATTRIBUTES) {
+            const value = elm.getAttribute(name);
+            if (value && isDangerousUrl(value, tagName)) {
+                attr(elm, name, null);
+                effected = true;
+            }
+        }
+    }
     return effected;
 }

package/esm/core/helpers/html/strip-tags.d.ts

@@ -10,4 +10,4 @@ import type { HTMLTagNames, Nullable } from "../../../types/index";
 /**
  * Extract plain text from HTML text
  */
-export declare function stripTags(html: string | Node, doc?: Document, exclude?: Nullable<Set<HTMLTagNames>>): string;
+export declare function stripTags(html: string | Node, doc?: Document, exclude?: Nullable<Set<HTMLTagNames>>, blockBr?: boolean): string;

package/esm/core/helpers/html/strip-tags.js

@@ -24,7 +24,7 @@ const ALONE_TAGS = new Set(['br', 'hr', 'input']);
 /**
  * Extract plain text from HTML text
  */
-export function stripTags(html, doc = document, exclude = null) {
+export function stripTags(html, doc = document, exclude = null, blockBr = false) {
     const tmp = doc.createElement('div');
     if (isString(html)) {
         tmp.innerHTML = html;
@@ -40,7 +40,7 @@ export function stripTags(html, doc = document, exclude = null) {
         if (exclude && Dom.isTag(p, exclude)) {
             const tag = p.nodeName.toLowerCase();
             const text = !Dom.isTag(p, ALONE_TAGS)
-                ? `%%%jodit-${tag}%%%${stripTags(p.innerHTML, doc, exclude)}%%%/jodit-${tag}%%%`
+                ? `%%%jodit-${tag}%%%${stripTags(p.innerHTML, doc, exclude, blockBr)}%%%/jodit-${tag}%%%`
                 : `%%%jodit-single-${tag}%%%`;
             Dom.before(p, doc.createTextNode(text));
             Dom.safeRemove(p);
@@ -58,7 +58,11 @@ export function stripTags(html, doc = document, exclude = null) {
             return;
         }
         if (nx) {
-            pr.insertBefore(doc.createTextNode(' '), nx);
+            // By default blocks are joined with a single space (single-line
+            // plain text). When `blockBr` is set, separate them with a line
+            // break instead, so paragraph structure survives — e.g. the
+            // "Insert only Text" paste option. See #1232
+            pr.insertBefore(doc.createTextNode(blockBr ? '%%%jodit-single-br%%%' : ' '), nx);
         }
     });
     return restoreTags(trim(tmp.innerText));

package/esm/core/helpers/utils/config-proto.js

@@ -10,6 +10,15 @@ import { isVoid } from "../checker/is-void.js";
 import { Config } from "../../../config.js";
 import { isAtom } from "./extend.js";
 import { keys } from "./utils.js";
+/**
+ * Keys that must never be copied from a (potentially untrusted) config object —
+ * assigning them during a recursive merge can reach and mutate
+ * `Object.prototype` (prototype pollution, CWE-1321).
+ */
+const UNSAFE_PROTO_KEYS = ['__proto__', 'constructor', 'prototype'];
+function isUnsafeProtoKey(key) {
+    return UNSAFE_PROTO_KEYS.indexOf(key) !== -1;
+}
 /**
  * @example
  * ```js
@@ -59,6 +68,9 @@ export function ConfigProto(options, proto, deep = 0) {
     }
     const newOpt = {};
     Object.keys(options).forEach(key => {
+        if (isUnsafeProtoKey(key)) {
+            return;
+        }
         const opt = options[key], protoKey = proto ? proto[key] : null;
         if (isPlainObject(opt) && isPlainObject(protoKey) && !isAtom(opt)) {
             newOpt[key] = ConfigProto(opt, protoKey, deep + 1);
@@ -119,6 +131,9 @@ export function ConfigFlatten(obj) {
  */
 export function ConfigMerge(target, source) {
     Object.keys(source).forEach(key => {
+        if (isUnsafeProtoKey(key)) {
+            return;
+        }
         const srcVal = source[key];
         const tgtVal = target[key];
         if (isPlainObject(srcVal) && isPlainObject(tgtVal) && !isAtom(srcVal)) {

package/esm/core/helpers/utils/convert-media-url-to-video-embed.js

@@ -17,7 +17,6 @@ export const convertMediaUrlToVideoEmbed = (url, { width = 400, height = 345 } =
         return url;
     }
     const parser = globalDocument.createElement('a');
-    const pattern1 = /(?:http?s?:\/\/)?(?:www\.)?(?:vimeo\.com)\/?(.+)/g;
     parser.href = url;
     if (!width) {
         width = 400;
@@ -28,27 +27,50 @@ export const convertMediaUrlToVideoEmbed = (url, { width = 400, height = 345 } =
     const protocol = parser.protocol || '';
     switch (parser.hostname) {
         case 'www.vimeo.com':
-        case 'vimeo.com':
-            return pattern1.test(url)
-                ? url.replace(pattern1, '<iframe width="' +
-                    width +
-                    '" height="' +
-                    height +
-                    '" src="' +
-                    protocol +
-                    '//player.vimeo.com/video/$1" frameborder="0" allowfullscreen></iframe>')
-                : url;
+        case 'vimeo.com': {
+            // The numeric video id can be preceded by `channels/<name>/` or
+            // `groups/<name>/videos/` and followed by tracking params (e.g.
+            // `?share=copy`). Unlisted videos keep a hash right after the id
+            // (`vimeo.com/<id>/<hash>`). Extract the id (+ hash) from the path
+            // so all of those forms produce a valid embed. See #1209
+            const segments = parser.pathname.split('/').filter(Boolean);
+            const idIndex = segments.findIndex(s => /^\d+$/.test(s));
+            if (idIndex === -1) {
+                return url;
+            }
+            let path = segments[idIndex];
+            const hash = segments[idIndex + 1];
+            if (hash && idIndex === 0) {
+                path += '/' + hash;
+            }
+            return ('<iframe width="' +
+                width +
+                '" height="' +
+                height +
+                '" src="' +
+                protocol +
+                '//player.vimeo.com/video/' +
+                path +
+                '" frameborder="0" allowfullscreen></iframe>');
+        }
         case 'youtube.com':
         case 'www.youtube.com':
+        case 'm.youtube.com':
+        case 'music.youtube.com':
         case 'youtu.be':
         case 'www.youtu.be': {
-            const query = parser.search
-                ? parseQuery(parser.search)
-                : { v: parser.pathname.substring(1) };
-            if (/^embed\/.*/.test(query.v)) {
-                query.v = query.v.substring(6);
-            }
-            return query.v
+            const query = parser.search ? parseQuery(parser.search) : {};
+            // `youtube.com/watch` keeps the video id in the `v` query
+            // parameter, while the short `youtu.be/<id>` links and the
+            // `/embed/`, `/shorts/`, `/live/` paths keep it in the pathname.
+            // Modern share urls add tracking params (e.g. `?si=`, `?t=`), so
+            // the pathname must still be used as a fallback when there is no
+            // `v`. See #1209
+            let v = query.v || parser.pathname.substring(1);
+            v = v
+                .replace(/^(watch|embed|shorts|live|v)\//, '')
+                .replace(/\/$/, '');
+            return v
                 ? '<iframe width="' +
                     width +
                     '" height="' +
@@ -56,7 +78,7 @@ export const convertMediaUrlToVideoEmbed = (url, { width = 400, height = 345 } =
                     '" src="' +
                     protocol +
                     '//www.youtube.com/embed/' +
-                    query.v +
+                    v +
                     '" frameborder="0" allowfullscreen></iframe>'
                 : url;
         }

package/esm/jodit.js

@@ -1210,6 +1210,26 @@ let Jodit = Jodit_1 = class Jodit extends ViewWithToolbar {
                 }
                 this.synchronizeValues();
             }
+        })
+            .on(this.ow, 'mouseup', (event) => {
+            if (this.o.readonly || this.__isSilentChange) {
+                return;
+            }
+            // When a selection is started inside the editor and the
+            // mouse button is released outside of it, the editable
+            // area never receives the `mouseup` event, so the toolbar
+            // state (active buttons) is not recalculated. Re-fire the
+            // event manually for that case while the selection still
+            // belongs to the editor. See #1251
+            const target = event.target;
+            const insideEditor = Boolean(target &&
+                isNumber(target.nodeType) &&
+                editor.contains(target));
+            if (insideEditor || !this.s.isInsideArea) {
+                return;
+            }
+            this.e.fire('changeSelection');
+            this.synchronizeValues();
         });
     }
     fetch(url, options) {

package/esm/modules/uploader/config.js

@@ -14,7 +14,17 @@ Config.prototype.enableDragAndDropFileToEditor = true;
 Config.prototype.uploader = {
     url: '',
     insertImageAsBase64URI: false,
-    imagesExtensions: ['jpg', 'png', 'jpeg', 'gif'],
+    imagesExtensions: [
+        'jpg',
+        'jpeg',
+        'png',
+        'gif',
+        'webp',
+        'bmp',
+        'svg',
+        'tiff',
+        'avif'
+    ],
     headers: null,
     data: null,
     filesVariableName(i) {

package/esm/plugins/clean-html/helpers/visitor/filters/try-remove-node.js

@@ -31,9 +31,16 @@ function isRemovableNode(jodit, node, current, allow, deny) {
     if (!jodit.o.cleanHTML.removeEmptyElements) {
         return false;
     }
+    // Never drop an empty inline element that currently holds the caret — it is
+    // a pending-format marker the user is about to type into (#1291). `current`
+    // is captured before a click moves the caret, so also check the live caret.
+    const liveCaret = jodit.s.isCollapsed()
+        ? jodit.s.range.startContainer
+        : null;
     return (Dom.isElement(node) &&
         node.nodeName.match(IS_INLINE) != null &&
         !Dom.isTemporary(node) &&
         trimInv(node.innerHTML).length === 0 &&
-        (current == null || !Dom.isOrContains(node, current)));
+        (current == null || !Dom.isOrContains(node, current)) &&
+        (liveCaret == null || !Dom.isOrContains(node, liveCaret)));
 }

package/esm/plugins/color/config.js

@@ -52,8 +52,9 @@ Config.prototype.controls.brush = {
         const update = (key, value) => {
             if (value && value !== css(editor.editor, key).toString()) {
                 button.state.icon.fill = value;
-                return;
+                return true;
             }
+            return false;
         };
         if (color) {
             const mode = dataBind(button, 'color');
@@ -63,8 +64,16 @@ Config.prototype.controls.brush = {
         const current = editor.s.current();
         if (current && !button.state.disabled) {
             const currentBpx = Dom.closest(current, Dom.isElement, editor.editor) || editor.editor;
-            update('color', css(currentBpx, 'color').toString());
-            update('background-color', css(currentBpx, 'background-color').toString());
+            // The icon's fill mirrors the current text/background color so the
+            // button reflects the formatting under the caret. Both calls run so
+            // that a background color (the second call) wins over the text color
+            // when both are set. Keep the computed fill instead of resetting it
+            // below. See #195, #182
+            const hasColor = update('color', css(currentBpx, 'color').toString());
+            const hasBackground = update('background-color', css(currentBpx, 'background-color').toString());
+            if (hasColor || hasBackground) {
+                return;
+            }
         }
         button.state.icon.fill = '';
         button.state.activated = false;

package/esm/plugins/drag-and-drop-element/drag-and-drop-element.d.ts

@@ -21,10 +21,31 @@ export declare class dragAndDropElement extends Plugin {
     private state;
     /** @override */
     protected afterInit(): void;
+    /**
+     * Start dragging a specific element programmatically.
+     *
+     * Allows a separate UI element (for example a drag handle/anchor shown next
+     * to a block) to initiate the drag without the user pressing directly on the
+     * draggable element itself.
+     *
+     * @example
+     * ```js
+     * handle.addEventListener('mousedown', e => {
+     * 	editor.e.fire('startDragElement', preBlock, e);
+     * });
+     * ```
+     */
+    private onStartDragElement;
     /**
      * Drag start handler
      */
     private onDragStart;
+    /**
+     * Prepare the ghost element and switch to the waiting state.
+     * Shared by the native mousedown handler and the programmatic
+     * `startDragElement` event handler.
+     */
+    private startDragging;
     /**
      * Mouse move handler handler
      */

package/esm/plugins/drag-and-drop-element/drag-and-drop-element.js

@@ -49,11 +49,34 @@ export class dragAndDropElement extends Plugin {
                 .filter(Boolean)
                 .map(item => item.toLowerCase())
             : [];
+        // Allow another plugin (e.g. a drag handle/anchor) to start dragging
+        // an element programmatically, regardless of the `draggableTags` list.
+        this.j.e.on('startDragElement', this.onStartDragElement);
         if (!this.dragList.length) {
             return;
         }
         this.j.e.on('mousedown dragstart', this.onDragStart);
     }
+    /**
+     * Start dragging a specific element programmatically.
+     *
+     * Allows a separate UI element (for example a drag handle/anchor shown next
+     * to a block) to initiate the drag without the user pressing directly on the
+     * draggable element itself.
+     *
+     * @example
+     * ```js
+     * handle.addEventListener('mousedown', e => {
+     * 	editor.e.fire('startDragElement', preBlock, e);
+     * });
+     * ```
+     */
+    onStartDragElement(element, event) {
+        if (this.isInDestruct || this.state > DragState.IDLE || !element) {
+            return;
+        }
+        this.startDragging(element, event);
+    }
     /**
      * Drag start handler
      */
@@ -79,11 +102,19 @@ export class dragAndDropElement extends Plugin {
             lastTarget.parentElement.lastChild === lastTarget) {
             lastTarget = lastTarget.parentElement;
         }
+        this.startDragging(lastTarget, event);
+    }
+    /**
+     * Prepare the ghost element and switch to the waiting state.
+     * Shared by the native mousedown handler and the programmatic
+     * `startDragElement` event handler.
+     */
+    startDragging(target, event) {
         this.startX = event.clientX;
         this.startY = event.clientY;
         this.isCopyMode = ctrlKey(event); // we can move only element from editor
-        this.draggable = lastTarget.cloneNode(true);
-        dataBind(this.draggable, 'target', lastTarget);
+        this.draggable = target.cloneNode(true);
+        dataBind(this.draggable, 'target', target);
         this.state = DragState.WAIT_DRAGGING;
         this.addDragListeners();
     }
@@ -157,6 +188,15 @@ export class dragAndDropElement extends Plugin {
         }
         const { parentElement } = fragment;
         this.j.s.insertNode(fragment, true, false);
+        // Dropping a non-editable block (e.g. a `<pre>` code sample) can leave an
+        // invisible filler text node beside it. Remove it so the drop does not
+        // introduce a stray empty line (which clean-html would otherwise strip
+        // later, causing a flash).
+        [fragment.previousSibling, fragment.nextSibling].forEach(node => {
+            if (Dom.isEmptyTextNode(node)) {
+                Dom.safeRemove(node);
+            }
+        });
         if (parentElement &&
             Dom.isEmpty(parentElement) &&
             !Dom.isCell(parentElement)) {
@@ -188,10 +228,15 @@ export class dragAndDropElement extends Plugin {
     /** @override */
     beforeDestruct() {
         this.onDragEnd();
-        this.j.e.off('mousedown dragstart', this.onDragStart);
+        this.j.e
+            .off('mousedown dragstart', this.onDragStart)
+            .off('startDragElement', this.onStartDragElement);
         this.removeDragListeners();
     }
 }
+__decorate([
+    autobind
+], dragAndDropElement.prototype, "onStartDragElement", null);
 __decorate([
     autobind
 ], dragAndDropElement.prototype, "onDragStart", null);