jodit 4.12.26 → 4.12.27

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (51) hide show
  1. package/CHANGELOG.md +1 -1
  2. package/es2015/jodit.css +1 -1
  3. package/es2015/jodit.fat.min.js +2 -2
  4. package/es2015/jodit.js +2 -2
  5. package/es2015/jodit.min.js +2 -2
  6. package/es2015/plugins/debug/debug.css +1 -1
  7. package/es2015/plugins/debug/debug.js +1 -1
  8. package/es2015/plugins/debug/debug.min.js +1 -1
  9. package/es2015/plugins/speech-recognize/speech-recognize.css +1 -1
  10. package/es2015/plugins/speech-recognize/speech-recognize.js +1 -1
  11. package/es2015/plugins/speech-recognize/speech-recognize.min.js +1 -1
  12. package/es2018/jodit.fat.min.js +2 -2
  13. package/es2018/jodit.min.js +2 -2
  14. package/es2018/plugins/debug/debug.min.js +1 -1
  15. package/es2018/plugins/speech-recognize/speech-recognize.min.js +1 -1
  16. package/es2021/jodit.css +1 -1
  17. package/es2021/jodit.fat.min.js +2 -2
  18. package/es2021/jodit.js +2 -2
  19. package/es2021/jodit.min.js +2 -2
  20. package/es2021/plugins/debug/debug.css +1 -1
  21. package/es2021/plugins/debug/debug.js +1 -1
  22. package/es2021/plugins/debug/debug.min.js +1 -1
  23. package/es2021/plugins/speech-recognize/speech-recognize.css +1 -1
  24. package/es2021/plugins/speech-recognize/speech-recognize.js +1 -1
  25. package/es2021/plugins/speech-recognize/speech-recognize.min.js +1 -1
  26. package/es2021.en/jodit.css +1 -1
  27. package/es2021.en/jodit.fat.min.js +2 -2
  28. package/es2021.en/jodit.js +2 -2
  29. package/es2021.en/jodit.min.js +2 -2
  30. package/es2021.en/plugins/debug/debug.css +1 -1
  31. package/es2021.en/plugins/debug/debug.js +1 -1
  32. package/es2021.en/plugins/debug/debug.min.js +1 -1
  33. package/es2021.en/plugins/speech-recognize/speech-recognize.css +1 -1
  34. package/es2021.en/plugins/speech-recognize/speech-recognize.js +1 -1
  35. package/es2021.en/plugins/speech-recognize/speech-recognize.min.js +1 -1
  36. package/es5/jodit.css +2 -2
  37. package/es5/jodit.fat.min.js +2 -2
  38. package/es5/jodit.js +2 -2
  39. package/es5/jodit.min.css +2 -2
  40. package/es5/jodit.min.js +2 -2
  41. package/es5/plugins/debug/debug.css +1 -1
  42. package/es5/plugins/debug/debug.js +1 -1
  43. package/es5/plugins/debug/debug.min.js +1 -1
  44. package/es5/plugins/speech-recognize/speech-recognize.css +1 -1
  45. package/es5/plugins/speech-recognize/speech-recognize.js +1 -1
  46. package/es5/plugins/speech-recognize/speech-recognize.min.js +1 -1
  47. package/es5/polyfills.fat.min.js +1 -1
  48. package/es5/polyfills.js +1 -1
  49. package/es5/polyfills.min.js +1 -1
  50. package/esm/core/constants.js +1 -1
  51. package/package.json +1 -1
package/CHANGELOG.md CHANGED
@@ -86,7 +86,7 @@
86
86
 
87
87
  #### :bug: Bug Fix
88
88
 
89
- - **Security (stored XSS)**: the HTML sanitizer (`safeHTML`) stripped `on*` event handlers and `javascript:` links but left several executable constructs in the serialized editor value, so an application that re-rendered `editor.value` as trusted HTML could execute attacker script. It now also: drops `iframe[srcdoc]`; removes `data:text/html` / `data:application/xhtml` (and SVG `data:` URLs in `iframe`/`object`/`embed`/`frame`) sources; and strips `javascript:`/`vbscript:`/`livescript:`/`mocha:` from every URL-bearing attribute (`src`, `data`, `action`, `formaction`, `poster`, `background`, `xlink:href`), not just `<a href>`. Safe `data:image/*` sources (e.g. base64 PNG/SVG used in `<img>`) are preserved. Responsibly reported by Yuji Tounai.
89
+ - **Security (stored XSS)**: the HTML sanitizer (`safeHTML`) stripped `on*` event handlers and `javascript:` links but left several executable constructs in the serialized editor value, so an application that re-rendered `editor.value` as trusted HTML could execute attacker script. It now also: drops `iframe[srcdoc]`; removes `data:text/html` / `data:application/xhtml` (and SVG `data:` URLs in `iframe`/`object`/`embed`/`frame`) sources; and strips `javascript:`/`vbscript:`/`livescript:`/`mocha:` from every URL-bearing attribute (`src`, `data`, `action`, `formaction`, `poster`, `background`, `xlink:href`), not just `<a href>`. Safe `data:image/*` sources (e.g. base64 PNG/SVG used in `<img>`) are preserved. Responsibly reported by Yuji Tounai ([@yousukezan](https://x.com/yousukezan)).
90
90
  - **Paste (Insert as Text)**: pasting multi-line content with the *Insert as Text* option lost its line breaks — the escaped text kept raw newlines that collapse to spaces when rendered. The *Insert as Text* path now converts newlines to `<br>` (gated on `nl2brInPlainText`, like the plain-text paste path). Fixes [#1093](https://github.com/xdan/jodit/issues/1093).
91
91
  - **Hotkeys**: the default keyboard shortcut for *Insert Unordered List* (`Ctrl/Cmd+Shift+8`) never fired — both variants were written as a single comma-joined string `'ctrl+shift+8, cmd+shift+8'` instead of two separate array entries, so the combined value never matched a real keypress. Fixes [#1079](https://github.com/xdan/jodit/issues/1079).
92
92
  - **Color / Brush button**: the brush (text/background color) button never reflected the color under the caret. Its `update` handler computed the current color into the icon fill but then **unconditionally** reset `icon.fill` to an empty string on every toolbar update, discarding it — which also made the icon render invisibly against some themes (`editorCssClass`). The computed fill is now kept when a color is present (and only cleared when there is none). Fixes [#195](https://github.com/xdan/jodit/issues/195) and [#182](https://github.com/xdan/jodit/issues/182).
package/es2015/jodit.css CHANGED
@@ -1,7 +1,7 @@
1
1
  /*!
2
2
  * jodit - Jodit is an awesome and useful wysiwyg editor with filebrowser
3
3
  * Author: Chupurnov <chupurnov@gmail.com> (https://xdsoft.net/jodit/)
4
- * Version: v4.12.26
4
+ * Version: v4.12.27
5
5
  * Url: https://xdsoft.net/jodit/
6
6
  * License(s): MIT
7
7
  */