suneditor 3.1.3 → 3.1.4

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "suneditor",
-	"version": "3.1.3",
+	"version": "3.1.4",
 	"description": "Vanilla JavaScript based WYSIWYG web editor",
 	"author": "Yi JiHong",
 	"license": "MIT",

package/src/core/logic/dom/html.js

@@ -77,18 +77,10 @@ class HTML {
 		}
 
 		const stylesMap = new Map();
-		const stylesObj = {
-			...splitTagStyles,
-			line: options.get('_lineStylesRegExp'),
-		};
-		this.#textStyleTags.forEach((v) => {
-			stylesObj[v] = options.get('_textStylesRegExp');
-		});
-
-		for (const key in stylesObj) {
-			stylesMap.set(new RegExp(`^(${key})$`), stylesObj[key]);
+		for (const key in splitTagStyles) {
+			stylesMap.set(new RegExp(`^(${key})$`), splitTagStyles[key]);
 		}
-		this.#cleanStyleTagKeyRegExp = new RegExp(`^(${Object.keys(stylesObj).join('|')})$`, 'i');
+		this.#cleanStyleTagKeyRegExp = new RegExp(`^(${Object.keys(splitTagStyles).join('|')})$`, 'i');
 		this.#cleanStyleRegExpMap = stylesMap;
 
 		// font size unit
@@ -1966,12 +1958,12 @@ class HTML {
 				v.push(sv[0]);
 			}
 		} else if (!v || !_RE_STYLE_EQ.test(v.toString())) {
-			if (this.#textStyleTags.includes(tagName)) {
+			if (this.#cleanStyleTagKeyRegExp.test(tagName)) {
 				v = this.#cleanStyle(m, v, tagName);
 			} else if (this.#$.format.isLine(tagName)) {
-				v = this.#cleanStyle(m, v, 'line');
-			} else if (this.#cleanStyleTagKeyRegExp.test(tagName)) {
-				v = this.#cleanStyle(m, v, tagName);
+				v = this.#cleanStyle(m, v, '@line');
+			} else if (this.#textStyleTags.includes(tagName)) {
+				v = this.#cleanStyle(m, v, '@text');
 			}
 		}
 

package/src/core/schema/options.js

@@ -67,6 +67,8 @@ export const DEFAULTS = {
 		'vertical-align|visibility|' +
 		'white-space|word-break|word-wrap',
 	TAG_STYLES: {
+		'@text': 'font-family|font-size|color|background-color|width|height',
+		'@line': 'text-align|margin|margin-left|margin-right|line-height',
 		'table|th|td': 'border|border-[a-z]+|color|background-color|text-align|float|font-weight|text-decoration|font-style|vertical-align',
 		'table|td': 'width',
 		tr: 'height',
@@ -78,8 +80,6 @@ export const DEFAULTS = {
 		'img|video|iframe': 'transform|transform-origin|width|min-width|max-width|height|min-height|max-height|float|margin|margin-top',
 		hr: '',
 	},
-	SPAN_STYLES: 'font-family|font-size|color|background-color|width|height',
-	LINE_STYLES: 'text-align|margin|margin-left|margin-right|line-height',
 
 	RETAIN_STYLE_MODE: ['repeat', 'always', 'none'],
 };
@@ -317,7 +317,7 @@ export const DEFAULTS = {
  * - `classFilter`: Filters disallowed CSS class names (`allowedClassName`)
  * - `textStyleTagFilter`: Filters text style tags (b, i, u, span, etc.)
  * - `attrFilter`: Filters disallowed HTML attributes (`attributeWhitelist`/`attributeBlacklist`)
- * - `styleFilter`: Filters disallowed inline styles (`spanStyles`/`lineStyles`/`allUsedStyles`)
+ * - `styleFilter`: Filters disallowed inline styles (per-tag from `tagStyles`)
  * ```js
  * // disable only attribute and style filters
  * {
@@ -393,19 +393,23 @@ export const DEFAULTS = {
  * ```js
  * { allUsedStyles: 'color|background-color|text-shadow' }
  * ```
- * @property {Object<string, string>} [tagStyles={}] - Specifies allowed styles for HTML tags. Key is tag name(s), value is pipe-delimited allowed styles.
+ * @property {Object<string, string>} [tagStyles={}] - Specifies allowed CSS styles per HTML tag.
+ * - Key is a tag name, multiple tags joined with `|`, or a category sentinel (`@text`, `@line`).
+ * - Value is a pipe-delimited list of allowed style names.
+ * - Resolution order when filtering an element: explicit tag entry → `@line` (for formatLine elements) → `@text` (for textStyleTags).
+ * - An explicit tag entry **replaces** the category default — include category styles in the value if you want both.
+ * - Merged with {@link DEFAULTS.TAG_STYLES}; user-supplied keys win.
  * ```js
  * {
  *   tagStyles: {
- *     'table|td': 'border|color|background-color',
- *     hr: 'border-top'
+ *     '@text': 'color|font-size|background-color',  // default for span, b, i, em, ...
+ *     '@line': 'text-align|margin|line-height',     // default for p, h1-h6, div, li, ...
+ *     'table|td': 'border|color|background-color',  // per-tag whitelist
+ *     div: 'color',                                   // explicit override; ignores `@line` default
+ *     hr: 'border-top',
  *   }
  * }
  * ```
- * @property {string} [spanStyles=CONSTANTS.SPAN_STYLES] - Specifies allowed styles for the `span` tag.
- * - The default follows {@link DEFAULTS.SPAN_STYLES}
- * @property {string} [lineStyles=CONSTANTS.LINE_STYLES] - Specifies allowed styles for the `line` element (p..).
- * - The default follows {@link DEFAULTS.LINE_STYLES}
  * @property {Array<string>} [fontSizeUnits=CONSTANTS.SIZE_UNITS] - Allowed font size units.
  * - The default follows {@link DEFAULTS.SIZE_UNITS}
  * @property {"repeat"|"always"|"none"} [retainStyleMode="repeat"] - Determines how inline elements (e.g. `<span>`, `<strong>`) are handled when deleting text.
@@ -625,8 +629,6 @@ export const DEFAULTS = {
  * @property {string[]} [_reverseCommandArray] - Internal key shortcut matcher for reverse commands.
  * @property {string} [_subMode] - Sub toolbar mode (e.g., `balloon`).
  * @property {string[]} [_textStyleTags] - Tag names used for text styling, plus span/li.
- * @property {RegExp} [_textStylesRegExp] - Regex to match inline styles (e.g., fontSize, color).
- * @property {RegExp} [_lineStylesRegExp] - Regex to match line styles (e.g., text-align, padding).
  * @property {Object<string, string>} [_defaultStyleTagMap] - Mapping HTML tag => standard tag.
  * @property {Object<string, string>} [_styleCommandMap] - Mapping HTML tag => command (e.g., bold, underline).
  * @property {Object<string, string>} [_defaultTagCommand] - Mapping command => preferred tag.
@@ -723,8 +725,6 @@ export const OPTION_FIXED_FLAG = {
 	convertTextTags: 'fixed',
 	__tagStyles: 'fixed',
 	tagStyles: 'fixed',
-	spanStyles: 'fixed',
-	lineStyles: 'fixed',
 	textDirection: true,
 	reverseButtons: 'fixed',
 	historyStackDelayTime: true,
@@ -788,7 +788,7 @@ export const OPTION_FIXED_FLAG = {
  * @property {boolean} classFilter - Filters disallowed CSS class names (`allowedClassName`)
  * @property {boolean} textStyleTagFilter - Filters text style tags (b, i, u, span, etc.)
  * @property {boolean} attrFilter - Filters disallowed HTML attributes (`attributeWhitelist`/`attributeBlacklist`)
- * @property {boolean} styleFilter - Filters disallowed inline styles (`spanStyles`/`lineStyles`/`allUsedStyles`)
+ * @property {boolean} styleFilter - Filters disallowed inline styles (per-tag from `tagStyles`)
  */
 
 /**

package/src/core/section/constructor.js

@@ -516,8 +516,6 @@ export function InitOptions(options, editorTargets, plugins) {
 			return _default;
 		}, {}),
 	);
-	o.set('_textStylesRegExp', new RegExp(`\\s*[^-a-zA-Z](${DEFAULTS.SPAN_STYLES}${options.spanStyles ? '|' + options.spanStyles : ''})\\s*:[^;]+(?!;)*`, 'gi'));
-	o.set('_lineStylesRegExp', new RegExp(`\\s*[^-a-zA-Z](${DEFAULTS.LINE_STYLES}${options.lineStyles ? '|' + options.lineStyles : ''})\\s*:[^;]+(?!;)*`, 'gi'));
 	o.set('_defaultStyleTagMap', {
 		strong: textTags.bold,
 		b: textTags.bold,
@@ -760,21 +758,13 @@ export function InitOptions(options, editorTargets, plugins) {
 
 	/** Create all used styles  */
 	const allUsedStyles = new Set(DEFAULTS.CONTENT_STYLES.split('|'));
-	const _ss = options.spanStyles?.split('|') || [];
 	const _ls = o.get('__listCommonStyle');
-	const _dts = DEFAULTS.SPAN_STYLES.split('|');
-	for (let i = 0, len = _dts.length; i < len; i++) {
-		allUsedStyles.add(_dts[i]);
-	}
 	for (const _ts of Object.values(o.get('tagStyles'))) {
 		const _tss = _ts.split('|');
 		for (let i = 0, len = _tss.length; i < len; i++) {
 			allUsedStyles.add(_tss[i]);
 		}
 	}
-	for (let i = 0, len = _ss.length; i < len; i++) {
-		allUsedStyles.add(_ss[i]);
-	}
 	for (let i = 0, len = _ls.length; i < len; i++) {
 		allUsedStyles.add(_ls[i]);
 	}

package/src/modules/contract/Browser.js

@@ -40,7 +40,7 @@ import ApiManager from '../manager/ApiManager';
  *   ]
  * }
  * ```
- * @property {Object<string, string>} [searchUrlHeader] - File server search http header. Optional. Can be overridden in browser.
+ * @property {Object<string, string>} [searchHeaders] - File server search http header. Optional. Can be overridden in browser.
  * @property {string} [listClass] - Class name of list div. Required. Can be overridden in browser.
  * @property {(item: BrowserFile) => string} [drawItemHandler] - Function that returns HTML string for rendering each file item. Required. Can be overridden in browser.
  * ```js
@@ -114,9 +114,9 @@ class Browser {
 		this.listClass = params.listClass || 'se-preview-list';
 		this.directData = params.data;
 		this.url = params.url;
-		this.urlHeader = params.headers;
+		this.headers = params.headers;
 		this.searchUrl = params.searchUrl;
-		this.searchUrlHeader = params.searchUrlHeader;
+		this.searchHeaders = params.searchHeaders;
 		this.drawItemHandler = (params.drawItemHandler || DrawItems).bind({ thumbnail: params.thumbnail, props: params.props || [] });
 		this.selectorHandler = params.selectorHandler;
 		this.columnSize = params.columnSize || 4;
@@ -176,7 +176,7 @@ class Browser {
 	 * @param {string} [params.listClass] - Class name of list div. If not, use `this.listClass`.
 	 * @param {string} [params.title] - File browser window title. If not, use `this.title`.
 	 * @param {string} [params.url] - File server url. If not, use `this.url`.
-	 * @param {Object<string, string>} [params.urlHeader] - File server http header. If not, use `this.urlHeader`.
+	 * @param {Object<string, string>} [params.headers] - File server http header. If not, use `this.headers`.
 	 * @example
 	 * // Open with default settings (configured at construction):
 	 * this.browser.open();
@@ -185,7 +185,7 @@ class Browser {
 	 * this.browser.open({
 	 *   title: 'Select a video',
 	 *   url: '/api/videos',
-	 *   urlHeader: { Authorization: 'Bearer token' },
+	 *   headers: { Authorization: 'Bearer token' },
 	 * });
 	 */
 	open(params = {}) {
@@ -205,7 +205,7 @@ class Browser {
 		if (this.directData) {
 			this.#drowItems(this.directData);
 		} else {
-			this.#drawFileList(params.url || this.url, params.urlHeader || this.urlHeader, false);
+			this.#drawFileList(params.url || this.url, params.headers || this.headers, false);
 		}
 
 		this.body.style.maxHeight = dom.utils.getClientSize().h - (this.#$.offset.getGlobal(this.body).top - _w.scrollY) - 20 + 'px';
@@ -246,7 +246,8 @@ class Browser {
 	search(keyword) {
 		if (this.searchUrl) {
 			this.keyword = keyword;
-			this.#drawFileList(this.searchUrl + '?keyword=' + keyword, this.searchUrlHeader, false);
+			const sep = this.searchUrl.includes('?') ? '&' : '?';
+			this.#drawFileList(this.searchUrl + sep + 'keyword=' + _w.encodeURIComponent(keyword), this.searchHeaders, false);
 		} else {
 			this.keyword = keyword.toLowerCase();
 			this.#drawListItem(this.#allItems.length > 0 ? this.#allItems : this.items, false);
@@ -302,11 +303,11 @@ class Browser {
 	/**
 	 * @description Fetches the file list from the server.
 	 * @param {string} url - The file server URL.
-	 * @param {Object<string, string>} urlHeader - The HTTP headers for the request.
+	 * @param {Object<string, string>} headers - The HTTP headers for the request.
 	 * @param {boolean} pageLoading - Indicates if this is a paginated request.
 	 */
-	#drawFileList(url, urlHeader, pageLoading) {
-		this.apiManager.call({ method: 'GET', url, headers: urlHeader, callBack: this.#CallBackGet.bind(this), errorCallBack: this.#CallBackError.bind(this) });
+	#drawFileList(url, headers, pageLoading) {
+		this.apiManager.call({ method: 'GET', url, headers, callBack: this.#CallBackGet.bind(this), errorCallBack: this.#CallBackError.bind(this) });
 		if (!pageLoading) {
 			this.sideOpenBtn.style.display = 'none';
 			this.showBrowserLoading();
@@ -601,7 +602,7 @@ class Browser {
 		this.selectedTags = [];
 
 		if (typeof data === 'string') {
-			this.#drawFileList(data, this.urlHeader, true);
+			this.#drawFileList(data, this.headers, true);
 		} else {
 			this.#drawListItem(data, true);
 		}

package/src/modules/contract/Figure.js

@@ -1553,6 +1553,7 @@ class Figure {
 		this.setAlign(this._element, value);
 		this.selectMenu_align.close();
 		this.#$.component.select(this._element, this.kind);
+		this.#$.history.push(false);
 	}
 
 	/**
@@ -1561,6 +1562,7 @@ class Figure {
 	#SetMenuAs(value) {
 		this.convertAsFormat(this._element, value);
 		this.selectMenu_as.close();
+		this.#$.history.push(false);
 	}
 
 	/**
@@ -1583,6 +1585,7 @@ class Figure {
 
 		this.selectMenu_resize.close();
 		this.#$.component.select(this._element, this.kind);
+		this.#$.history.push(false);
 	}
 
 	#OffFigureContainer() {

package/src/modules/contract/Modal.js

@@ -10,6 +10,9 @@ const DIRECTION_CURSOR_MAP = { w: 'ns-resize', h: 'ew-resize', c: 'nwse-resize',
 class Modal {
 	#$;
 
+	/** @type {Node} */
+	#targetElement;
+
 	/** @type {HTMLElement} */
 	#modalArea;
 	/** @type {HTMLElement} */
@@ -175,6 +178,8 @@ class Modal {
 		}
 
 		if (this.focusElement) this.focusElement.focus();
+
+		this.#targetElement = this.#$.component.currentTarget;
 	}
 
 	/**
@@ -205,7 +210,13 @@ class Modal {
 		this.inst.modalInit?.();
 		this.inst.modalOff?.(this.isUpdate);
 
-		if (!this.isUpdate) this.#$.focusManager.focus();
+		if (!this.isUpdate) {
+			this.#$.focusManager.focus();
+		} else if (this.#targetElement) {
+			this.inst.componentSelect?.(this.#targetElement);
+		}
+
+		this.#targetElement = null;
 	}
 
 	/**

package/src/modules/ui/ModalAnchorEditor.js

@@ -209,6 +209,8 @@ class ModalAnchorEditor {
 	/**
 	 * @description Creates an anchor (`<a>`) element with the specified attributes.
 	 * @param {boolean} notText - If `true`, the anchor will not contain text content.
+	 * @param {?string} [urlOverride] - Fallback URL used when the modal's `linkValue` is empty
+	 * - (e.g., when called outside the modal lifecycle such as from `retainFormat`)
 	 * @returns {HTMLElement|null} - The newly created anchor element, or `null` if the URL is empty.
 	 * @example
 	 * // In a link plugin — create anchor with text content:
@@ -221,11 +223,14 @@ class ModalAnchorEditor {
 	 * if (anchor) {
 	 *   anchor.appendChild(imgElement);
 	 * }
+	 *
+	 * // Preserve an existing parent anchor's href when rebuilding outside the modal:
+	 * const anchor = this.anchor.create(true, parentAnchor.href);
 	 */
-	create(notText) {
-		if (this.linkValue.length === 0) return null;
+	create(notText, urlOverride) {
+		const url = this.linkValue || urlOverride || '';
+		if (url.length === 0) return null;
 
-		const url = this.linkValue;
 		const displayText = this.displayInput.value.length === 0 ? url : this.displayInput.value;
 
 		const oA = /** @type {HTMLAnchorElement} */ (this.currentTarget || dom.utils.createElement('A'));

package/src/plugins/browser/audioGallery.js

@@ -19,6 +19,10 @@ import { Browser } from '../../modules/contract';
  * }
  * ```
  * @property {Object<string, string>} [headers] - Server request headers
+ * @property {string} [searchUrl] - Server-side search URL. When set, the keyword is sent to this URL
+ * as `?keyword=<value>` and the server response replaces the list. When not set, search filters the
+ * already-loaded items locally.
+ * @property {Object<string, string>} [searchHeaders] - Server-side search request headers
  * @property {string|((item: SunEditor.Module.Browser.File) => string)} [thumbnail] - Default thumbnail
  */
 
@@ -51,6 +55,8 @@ class AudioGallery extends PluginBrowser {
 			data: pluginOptions.data,
 			url: pluginOptions.url,
 			headers: pluginOptions.headers,
+			searchUrl: pluginOptions.searchUrl,
+			searchHeaders: pluginOptions.searchHeaders,
 			selectorHandler: this.#SetItem.bind(this),
 			columnSize: 4,
 			className: 'se-audio-gallery',

package/src/plugins/browser/fileBrowser.js

@@ -26,6 +26,10 @@ import { Browser } from '../../modules/contract';
  * }
  * ```
  * @property {Object<string, string>} [headers] - Server request headers
+ * @property {string} [searchUrl] - Server-side search URL. When set, the keyword is sent to this URL
+ * as `?keyword=<value>` and the server response replaces the list. When not set, search filters the
+ * already-loaded items locally.
+ * @property {Object<string, string>} [searchHeaders] - Server-side search request headers
  * @property {string|((item: SunEditor.Module.Browser.File) => string)} [thumbnail] - Default thumbnail URL or a function that returns a thumbnail URL per item.
  * @property {number} [expand=1] - Initial folder expand depth. `1` expands the first level, `Infinity` expands all. Default: `1`.
  * @property {Array<string>} [props] - Additional tag names
@@ -64,6 +68,8 @@ class FileBrowser extends PluginBrowser {
 			data: pluginOptions.data,
 			url: pluginOptions.url,
 			headers: pluginOptions.headers,
+			searchUrl: pluginOptions.searchUrl,
+			searchHeaders: pluginOptions.searchHeaders,
 			selectorHandler: this.#SetItem.bind(this),
 			columnSize: 4,
 			className: 'se-file-browser',

package/src/plugins/browser/fileGallery.js

@@ -20,6 +20,10 @@ import { Browser } from '../../modules/contract';
  * }
  * ```
  * @property {Object<string, string>} [headers] - Server request headers
+ * @property {string} [searchUrl] - Server-side search URL. When set, the keyword is sent to this URL
+ * as `?keyword=<value>` and the server response replaces the list. When not set, search filters the
+ * already-loaded items locally.
+ * @property {Object<string, string>} [searchHeaders] - Server-side search request headers
  * @property {string|((item: SunEditor.Module.Browser.File) => string)} [thumbnail] - Default thumbnail
  */
 
@@ -52,6 +56,8 @@ class FileGallery extends PluginBrowser {
 			data: pluginOptions.data,
 			url: pluginOptions.url,
 			headers: pluginOptions.headers,
+			searchUrl: pluginOptions.searchUrl,
+			searchHeaders: pluginOptions.searchHeaders,
 			selectorHandler: this.#SetItem.bind(this),
 			columnSize: 4,
 			className: 'se-file-gallery',

package/src/plugins/browser/imageGallery.js

@@ -20,6 +20,10 @@ import { Browser } from '../../modules/contract';
  * }
  * ```
  * @property {Object<string, string>} [headers] - Server request headers
+ * @property {string} [searchUrl] - Server-side search URL. When set, the keyword is sent to this URL
+ * as `?keyword=<value>` and the server response replaces the list. When not set, search filters the
+ * already-loaded items locally.
+ * @property {Object<string, string>} [searchHeaders] - Server-side search request headers
  */
 
 /**
@@ -50,6 +54,8 @@ class ImageGallery extends PluginBrowser {
 			data: pluginOptions.data,
 			url: pluginOptions.url,
 			headers: pluginOptions.headers,
+			searchUrl: pluginOptions.searchUrl,
+			searchHeaders: pluginOptions.searchHeaders,
 			selectorHandler: this.#SetItem.bind(this),
 			columnSize: 4,
 			className: 'se-image-gallery',

package/src/plugins/browser/videoGallery.js

@@ -20,6 +20,10 @@ import { Browser } from '../../modules/contract';
  * }
  * ```
  * @property {Object<string, string>} [headers] - Server request headers
+ * @property {string} [searchUrl] - Server-side search URL. When set, the keyword is sent to this URL
+ * as `?keyword=<value>` and the server response replaces the list. When not set, search filters the
+ * already-loaded items locally.
+ * @property {Object<string, string>} [searchHeaders] - Server-side search request headers
  * @property {string|((item: SunEditor.Module.Browser.File) => string)} [thumbnail] - Default thumbnail
  */
 
@@ -52,6 +56,8 @@ class VideoGallery extends PluginBrowser {
 			data: pluginOptions.data,
 			url: pluginOptions.url,
 			headers: pluginOptions.headers,
+			searchUrl: pluginOptions.searchUrl,
+			searchHeaders: pluginOptions.searchHeaders,
 			selectorHandler: this.#SetItem.bind(this),
 			columnSize: 4,
 			className: 'se-video-gallery',

package/src/plugins/modal/embed.js

@@ -39,6 +39,17 @@ const { _w, NO_EVENT } = env;
  * { query_vimeo: 'autoplay=1' }
  * ```
  * @property {Array<RegExp>} [urlPatterns] - Additional URL patterns to recognize as embeddable content.
+ * @property {Array<RegExp|string>} [scriptSrcWhitelist] - Allowed `<script src=...>` patterns for raw embed HTML
+ * - (e.g. Twitter blockquote + `widgets.js`). Each entry is a `RegExp` (tested against the full src) or a `string` (matched via `startsWith`).
+ * - Defaults to `[]` — all script tags are rejected.** Inline scripts (no `src`) are always rejected.
+ * ```js
+ * {
+ *   scriptSrcWhitelist: [
+ *     /^https:\/\/platform\.x\.com\/widgets\.js$/,
+ *     /^https:\/\/www\.instagram\.com\/embed\.js$/,
+ *   ]
+ * }
+ * ```
  * @property {Object<string, {pattern: RegExp, action: (url: string) => string, tag: string}>} [embedQuery] - Custom embed service definitions.
  * Each key is a service name, with `pattern` to match the URL, `action` to transform it into an embed URL, and `tag` for the output element.
  * ```js
@@ -125,6 +136,18 @@ class Embed extends PluginModal {
 		return false;
 	}
 
+	/**
+	 * @description Validate a `<script src>` against the configured whitelist for raw embed HTML.
+	 * Inline scripts (no `src`) are always rejected.
+	 * @param {string} src
+	 * @param {Array<RegExp|string>} whitelist
+	 * @returns {boolean}
+	 */
+	static #isAllowedScriptSrc(src, whitelist) {
+		if (!src) return false;
+		return whitelist.some((p) => (p instanceof RegExp ? p.test(src) : src.startsWith(p)));
+	}
+
 	/** @type {Array<RegExp>} */
 	static #urlPatterns = null;
 
@@ -168,6 +191,7 @@ class Embed extends PluginModal {
 			iframeTagAttributes: pluginOptions.iframeTagAttributes || null,
 			query_youtube: pluginOptions.query_youtube || '',
 			query_vimeo: pluginOptions.query_vimeo || '',
+			scriptSrcWhitelist: Array.isArray(pluginOptions.scriptSrcWhitelist) ? pluginOptions.scriptSrcWhitelist : [],
 			insertBehavior: pluginOptions.insertBehavior,
 		};
 
@@ -446,6 +470,19 @@ class Embed extends PluginModal {
 		if (/^<iframe\s|^<blockquote\s/i.test(src)) {
 			const embedDOM = new DOMParser().parseFromString(src, 'text/html').body.children;
 			if (embedDOM.length === 0) return false;
+
+			// Validate every iframe in the raw HTML against the URL whitelist.
+			for (let i = 0; i < embedDOM.length; i++) {
+				const node = /** @type {Element} */ (embedDOM[i]);
+				if (/^iframe$/i.test(node.nodeName) && !Embed.#checkContentType(node.getAttribute('src') || '')) return false;
+				const nested = node.querySelectorAll?.('iframe');
+				if (nested) {
+					for (let j = 0; j < nested.length; j++) {
+						if (!Embed.#checkContentType(nested[j].getAttribute('src') || '')) return false;
+					}
+				}
+			}
+
 			embedInfo = { children: embedDOM, ...this.#getInfo(), process: null };
 		} else {
 			const processUrl = this.findProcessUrl(src);
@@ -604,9 +641,12 @@ class Embed extends PluginModal {
 				container = figure.container;
 
 				const childNodes = Array.from(children);
+				const scriptWhitelist = this.pluginOptions.scriptSrcWhitelist;
 				for (const chd of childNodes) {
 					if (/^script$/i.test(chd.nodeName)) {
-						scriptTag = dom.utils.createElement('script', { src: /** @type {Element} */ (chd).getAttribute('src'), async: 'true' }, null);
+						const scriptSrc = /** @type {Element} */ (chd).getAttribute('src') || '';
+						if (!Embed.#isAllowedScriptSrc(scriptSrc, scriptWhitelist)) continue;
+						scriptTag = dom.utils.createElement('script', { src: scriptSrc, async: 'true' }, null);
 						continue;
 					}
 					cover.appendChild(chd);

package/src/plugins/modal/image/index.js

@@ -774,7 +774,7 @@ class Image_ extends PluginModal {
 
 		// link
 		let isNewAnchor = null;
-		const anchor = this.anchor.create(true);
+		const anchor = this.anchor.create(true, dom.check.isAnchor(this.#element.parentElement) ? this.#element.parentElement.href : null);
 		if (anchor) {
 			if (this.#linkElement !== anchor || (isNewContainer && !container.contains(anchor))) {
 				this.#linkElement = anchor.cloneNode(false);
@@ -839,6 +839,7 @@ class Image_ extends PluginModal {
 	 */
 	#setAnchor(imgTag, anchor) {
 		if (anchor) {
+			/** @type {HTMLAnchorElement} */ (anchor).setAttribute('data-se-non-link', 'true');
 			anchor.appendChild(imgTag);
 			return anchor;
 		}