jodit 4.12.29 → 4.12.31
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +12 -0
- package/es2015/jodit.css +1 -1
- package/es2015/jodit.fat.min.js +2 -2
- package/es2015/jodit.js +25 -7
- package/es2015/jodit.min.js +2 -2
- package/es2015/plugins/debug/debug.css +1 -1
- package/es2015/plugins/debug/debug.js +1 -1
- package/es2015/plugins/debug/debug.min.js +1 -1
- package/es2015/plugins/speech-recognize/speech-recognize.css +1 -1
- package/es2015/plugins/speech-recognize/speech-recognize.js +1 -1
- package/es2015/plugins/speech-recognize/speech-recognize.min.js +1 -1
- package/es2018/jodit.fat.min.js +2 -2
- package/es2018/jodit.min.js +2 -2
- package/es2018/plugins/debug/debug.min.js +1 -1
- package/es2018/plugins/speech-recognize/speech-recognize.min.js +1 -1
- package/es2021/jodit.css +1 -1
- package/es2021/jodit.fat.min.js +3 -3
- package/es2021/jodit.js +25 -7
- package/es2021/jodit.min.js +3 -3
- package/es2021/plugins/debug/debug.css +1 -1
- package/es2021/plugins/debug/debug.js +1 -1
- package/es2021/plugins/debug/debug.min.js +1 -1
- package/es2021/plugins/speech-recognize/speech-recognize.css +1 -1
- package/es2021/plugins/speech-recognize/speech-recognize.js +1 -1
- package/es2021/plugins/speech-recognize/speech-recognize.min.js +1 -1
- package/es2021.en/jodit.css +1 -1
- package/es2021.en/jodit.fat.min.js +3 -3
- package/es2021.en/jodit.js +25 -7
- package/es2021.en/jodit.min.js +3 -3
- package/es2021.en/plugins/debug/debug.css +1 -1
- package/es2021.en/plugins/debug/debug.js +1 -1
- package/es2021.en/plugins/debug/debug.min.js +1 -1
- package/es2021.en/plugins/speech-recognize/speech-recognize.css +1 -1
- package/es2021.en/plugins/speech-recognize/speech-recognize.js +1 -1
- package/es2021.en/plugins/speech-recognize/speech-recognize.min.js +1 -1
- package/es5/jodit.css +2 -2
- package/es5/jodit.fat.min.js +2 -2
- package/es5/jodit.js +26 -8
- package/es5/jodit.min.css +2 -2
- package/es5/jodit.min.js +2 -2
- package/es5/plugins/debug/debug.css +1 -1
- package/es5/plugins/debug/debug.js +1 -1
- package/es5/plugins/debug/debug.min.js +1 -1
- package/es5/plugins/speech-recognize/speech-recognize.css +1 -1
- package/es5/plugins/speech-recognize/speech-recognize.js +1 -1
- package/es5/plugins/speech-recognize/speech-recognize.min.js +1 -1
- package/es5/polyfills.fat.min.js +1 -1
- package/es5/polyfills.js +1 -1
- package/es5/polyfills.min.js +1 -1
- package/esm/core/constants.js +1 -1
- package/esm/core/helpers/html/apply-styles.js +14 -3
- package/esm/core/helpers/html/safe-html.js +9 -2
- package/package.json +1 -1
package/es5/polyfills.fat.min.js
CHANGED
package/es5/polyfills.js
CHANGED
package/es5/polyfills.min.js
CHANGED
package/esm/core/constants.js
CHANGED
|
@@ -3,7 +3,7 @@
|
|
|
3
3
|
* Released under MIT see LICENSE.txt in the project root for license information.
|
|
4
4
|
* Copyright (c) 2013-2026 Valerii Chupurnov. All rights reserved. https://xdsoft.net
|
|
5
5
|
*/
|
|
6
|
-
export const APP_VERSION = "4.12.
|
|
6
|
+
export const APP_VERSION = "4.12.31";
|
|
7
7
|
// prettier-ignore
|
|
8
8
|
export const ES = "es2020";
|
|
9
9
|
export const IS_ES_MODERN = true;
|
|
@@ -31,11 +31,22 @@ function normalizeCSS(s) {
|
|
|
31
31
|
* and then removes the selector styles, leaving only the inline ones.
|
|
32
32
|
*/
|
|
33
33
|
export function applyStyles(html) {
|
|
34
|
-
|
|
34
|
+
// Match the opening <html> tag whether or not it carries attributes. MS
|
|
35
|
+
// Word emits `<html xmlns:o=…>` (note the trailing space), but Excel/Calc
|
|
36
|
+
// wrap the copied table in a bare `<html>`. The old `'<html '` check missed
|
|
37
|
+
// the bare tag, so for Excel clipboards the `<style>` rules (class-based
|
|
38
|
+
// cell backgrounds/borders, e.g. `.xl31 { background:#FCE4D6 }`) were never
|
|
39
|
+
// inlined and all styling was lost once the `<style>` block got stripped.
|
|
40
|
+
// See https://github.com/xdan/jodit/issues/1362
|
|
41
|
+
const openMatch = /<html(?:\s[^>]*)?>/i.exec(html);
|
|
42
|
+
if (!openMatch) {
|
|
35
43
|
return html;
|
|
36
44
|
}
|
|
37
|
-
html = html.substring(
|
|
38
|
-
|
|
45
|
+
html = html.substring(openMatch.index);
|
|
46
|
+
const closeIndex = html.toLowerCase().lastIndexOf('</html>');
|
|
47
|
+
if (closeIndex !== -1) {
|
|
48
|
+
html = html.substring(0, closeIndex + '</html>'.length);
|
|
49
|
+
}
|
|
39
50
|
const iframe = globalDocument.createElement('iframe');
|
|
40
51
|
iframe.style.display = 'none';
|
|
41
52
|
globalDocument.body.appendChild(iframe);
|
|
@@ -150,8 +150,16 @@ export function sanitizeHTMLElement(elm, { safeJavaScriptLink, removeOnError } =
|
|
|
150
150
|
attr(elm, 'onerror', null);
|
|
151
151
|
effected = true;
|
|
152
152
|
}
|
|
153
|
+
const tagName = elm.nodeName.toLowerCase();
|
|
153
154
|
const href = elm.getAttribute('href');
|
|
154
|
-
|
|
155
|
+
// Neutralize executable-scheme `href`s with the same normalization used for
|
|
156
|
+
// every other URL attribute (`isDangerousUrl`), which strips control bytes,
|
|
157
|
+
// tabs and newlines and lowercases before matching the scheme. The previous
|
|
158
|
+
// bare `href.trim().indexOf('javascript') === 0` was case-sensitive and
|
|
159
|
+
// missed `JAVASCRIPT:`, a leading control byte, or a tab/newline inside the
|
|
160
|
+
// scheme (e.g. `java\tscript:`) — all of which the browser still resolves to
|
|
161
|
+
// `javascript:` on click. See GHSA-j839-gqq4-gf9j.
|
|
162
|
+
if (safeJavaScriptLink && href && isDangerousUrl(href, tagName)) {
|
|
155
163
|
attr(elm, 'href', location.protocol + '//' + href);
|
|
156
164
|
effected = true;
|
|
157
165
|
}
|
|
@@ -162,7 +170,6 @@ export function sanitizeHTMLElement(elm, { safeJavaScriptLink, removeOnError } =
|
|
|
162
170
|
effected = true;
|
|
163
171
|
}
|
|
164
172
|
// Strip executable schemes from any other URL-bearing attribute.
|
|
165
|
-
const tagName = elm.nodeName.toLowerCase();
|
|
166
173
|
for (const name of URL_ATTRIBUTES) {
|
|
167
174
|
const value = elm.getAttribute(name);
|
|
168
175
|
if (value && isDangerousUrl(value, tagName)) {
|