jodit 4.12.30 → 4.12.31
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +6 -0
- package/es2015/jodit.css +1 -1
- package/es2015/jodit.fat.min.js +2 -2
- package/es2015/jodit.js +11 -4
- package/es2015/jodit.min.js +2 -2
- package/es2015/plugins/debug/debug.css +1 -1
- package/es2015/plugins/debug/debug.js +1 -1
- package/es2015/plugins/debug/debug.min.js +1 -1
- package/es2015/plugins/speech-recognize/speech-recognize.css +1 -1
- package/es2015/plugins/speech-recognize/speech-recognize.js +1 -1
- package/es2015/plugins/speech-recognize/speech-recognize.min.js +1 -1
- package/es2018/jodit.fat.min.js +2 -2
- package/es2018/jodit.min.js +2 -2
- package/es2018/plugins/debug/debug.min.js +1 -1
- package/es2018/plugins/speech-recognize/speech-recognize.min.js +1 -1
- package/es2021/jodit.css +1 -1
- package/es2021/jodit.fat.min.js +3 -3
- package/es2021/jodit.js +11 -4
- package/es2021/jodit.min.js +3 -3
- package/es2021/plugins/debug/debug.css +1 -1
- package/es2021/plugins/debug/debug.js +1 -1
- package/es2021/plugins/debug/debug.min.js +1 -1
- package/es2021/plugins/speech-recognize/speech-recognize.css +1 -1
- package/es2021/plugins/speech-recognize/speech-recognize.js +1 -1
- package/es2021/plugins/speech-recognize/speech-recognize.min.js +1 -1
- package/es2021.en/jodit.css +1 -1
- package/es2021.en/jodit.fat.min.js +3 -3
- package/es2021.en/jodit.js +11 -4
- package/es2021.en/jodit.min.js +3 -3
- package/es2021.en/plugins/debug/debug.css +1 -1
- package/es2021.en/plugins/debug/debug.js +1 -1
- package/es2021.en/plugins/debug/debug.min.js +1 -1
- package/es2021.en/plugins/speech-recognize/speech-recognize.css +1 -1
- package/es2021.en/plugins/speech-recognize/speech-recognize.js +1 -1
- package/es2021.en/plugins/speech-recognize/speech-recognize.min.js +1 -1
- package/es5/jodit.css +2 -2
- package/es5/jodit.fat.min.js +2 -2
- package/es5/jodit.js +12 -5
- package/es5/jodit.min.css +2 -2
- package/es5/jodit.min.js +2 -2
- package/es5/plugins/debug/debug.css +1 -1
- package/es5/plugins/debug/debug.js +1 -1
- package/es5/plugins/debug/debug.min.js +1 -1
- package/es5/plugins/speech-recognize/speech-recognize.css +1 -1
- package/es5/plugins/speech-recognize/speech-recognize.js +1 -1
- package/es5/plugins/speech-recognize/speech-recognize.min.js +1 -1
- package/es5/polyfills.fat.min.js +1 -1
- package/es5/polyfills.js +1 -1
- package/es5/polyfills.min.js +1 -1
- package/esm/core/constants.js +1 -1
- package/esm/core/helpers/html/safe-html.js +9 -2
- package/package.json +1 -1
package/es2015/jodit.js
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
/*!
|
|
2
2
|
* jodit - Jodit is an awesome and useful wysiwyg editor with filebrowser
|
|
3
3
|
* Author: Chupurnov <chupurnov@gmail.com> (https://xdsoft.net/jodit/)
|
|
4
|
-
* Version: v4.12.
|
|
4
|
+
* Version: v4.12.31
|
|
5
5
|
* Url: https://xdsoft.net/jodit/
|
|
6
6
|
* License(s): MIT
|
|
7
7
|
*/
|
|
@@ -1816,7 +1816,7 @@ __webpack_require__.r(__webpack_exports__);
|
|
|
1816
1816
|
* ```
|
|
1817
1817
|
* @packageDocumentation
|
|
1818
1818
|
* @module constants
|
|
1819
|
-
*/ const APP_VERSION = "4.12.
|
|
1819
|
+
*/ const APP_VERSION = "4.12.31";
|
|
1820
1820
|
// prettier-ignore
|
|
1821
1821
|
const ES = "es2015";
|
|
1822
1822
|
const IS_ES_MODERN = true;
|
|
@@ -6203,8 +6203,16 @@ function sanitizeHTMLElement(elm, { safeJavaScriptLink, removeOnError } = {
|
|
|
6203
6203
|
(0,jodit_core_helpers_utils__WEBPACK_IMPORTED_MODULE_1__.attr)(elm, 'onerror', null);
|
|
6204
6204
|
effected = true;
|
|
6205
6205
|
}
|
|
6206
|
+
const tagName = elm.nodeName.toLowerCase();
|
|
6206
6207
|
const href = elm.getAttribute('href');
|
|
6207
|
-
|
|
6208
|
+
// Neutralize executable-scheme `href`s with the same normalization used for
|
|
6209
|
+
// every other URL attribute (`isDangerousUrl`), which strips control bytes,
|
|
6210
|
+
// tabs and newlines and lowercases before matching the scheme. The previous
|
|
6211
|
+
// bare `href.trim().indexOf('javascript') === 0` was case-sensitive and
|
|
6212
|
+
// missed `JAVASCRIPT:`, a leading control byte, or a tab/newline inside the
|
|
6213
|
+
// scheme (e.g. `java\tscript:`) — all of which the browser still resolves to
|
|
6214
|
+
// `javascript:` on click. See GHSA-j839-gqq4-gf9j.
|
|
6215
|
+
if (safeJavaScriptLink && href && isDangerousUrl(href, tagName)) {
|
|
6208
6216
|
(0,jodit_core_helpers_utils__WEBPACK_IMPORTED_MODULE_1__.attr)(elm, 'href', location.protocol + '//' + href);
|
|
6209
6217
|
effected = true;
|
|
6210
6218
|
}
|
|
@@ -6215,7 +6223,6 @@ function sanitizeHTMLElement(elm, { safeJavaScriptLink, removeOnError } = {
|
|
|
6215
6223
|
effected = true;
|
|
6216
6224
|
}
|
|
6217
6225
|
// Strip executable schemes from any other URL-bearing attribute.
|
|
6218
|
-
const tagName = elm.nodeName.toLowerCase();
|
|
6219
6226
|
for (const name of URL_ATTRIBUTES){
|
|
6220
6227
|
const value = elm.getAttribute(name);
|
|
6221
6228
|
if (value && isDangerousUrl(value, tagName)) {
|