tinacms 3.9.1 → 3.9.3

package/dist/index.js

@@ -9720,6 +9720,15 @@ class GlobalFormPlugin {
       const cmsForm = cms.state.forms.find(
         ({ tinaForm }) => tinaForm.id === form.id
       );
+      React.useEffect(() => {
+        if (!cmsForm) {
+          cms.dispatch({ type: "forms:add", value: form });
+          cms.dispatch({ type: "forms:set-active-form-id", value: form.id });
+        }
+      }, [cms, cmsForm]);
+      if (!cmsForm) {
+        return null;
+      }
       return /* @__PURE__ */ React.createElement(FormBuilder, { form: cmsForm });
     };
   }
@@ -13186,7 +13195,7 @@ const NavProvider = ({
 const name = "tinacms";
 const type = "module";
 const typings = "dist/index.d.ts";
-const version$1 = "3.9.1";
+const version$1 = "3.9.3";
 const main = "dist/index.js";
 const module = "./dist/index.js";
 const exports = {
@@ -70597,6 +70606,7 @@ class AuthenticationCancelledError extends Error {
 const authenticate = (clientId, frontendUrl) => {
   return new Promise((resolve, reject) => {
     const origin = `${window.location.protocol}//${window.location.host}`;
+    const expectedOrigin = new URL(frontendUrl).origin;
     const authTab = popupWindow(
       `${frontendUrl}/signin?clientId=${clientId}&origin=${origin}`,
       "_blank",
@@ -70612,10 +70622,16 @@ const authenticate = (clientId, frontendUrl) => {
       );
       return;
     }
+    const cleanup = () => {
+      clearInterval(pollInterval);
+      window.removeEventListener("message", messageHandler);
+    };
     const messageHandler = (e) => {
+      if (e.origin !== expectedOrigin || e.source !== authTab) {
+        return;
+      }
       if (e.data.source === TINA_LOGIN_EVENT) {
-        clearInterval(pollInterval);
-        window.removeEventListener("message", messageHandler);
+        cleanup();
         if (authTab) {
           authTab.close();
         }
@@ -70628,8 +70644,7 @@ const authenticate = (clientId, frontendUrl) => {
     };
     const pollInterval = setInterval(() => {
       if (authTab.closed) {
-        clearInterval(pollInterval);
-        window.removeEventListener("message", messageHandler);
+        cleanup();
         reject(new AuthenticationCancelledError("Popup was closed"));
       }
     }, 500);

package/dist/internal-admin-origin.d.ts

@@ -0,0 +1,7 @@
+import React from 'react';
+export declare function TinaAdminOriginProvider(props: {
+    origin: string | string[];
+    children: React.ReactNode;
+}): React.ReactElement;
+export declare function useTrustedAdminOrigins(): string[];
+export declare function isFromAdmin(event: MessageEvent, trustedOrigins: string[]): boolean;

package/dist/react.js

@@ -3,6 +3,25 @@ import { addMetadata as addMetadata2, hashFromQuery as hashFromQuery2 } from "@t
 import { QUICK_EDIT_CSS } from "@tinacms/bridge/quick-edit-css";
 import React from "react";
 import { tinaField } from "@tinacms/bridge/tina-field";
+const TinaAdminOriginContext = React.createContext(
+  null
+);
+function useTrustedAdminOrigins() {
+  const configured = React.useContext(TinaAdminOriginContext);
+  return React.useMemo(() => {
+    if (configured == null) {
+      return typeof window !== "undefined" ? [window.location.origin] : [];
+    }
+    return Array.isArray(configured) ? [...configured] : [configured];
+  }, [configured]);
+}
+function isFromAdmin(event, trustedOrigins) {
+  if (typeof window === "undefined")
+    return false;
+  if (!trustedOrigins.includes(event.origin))
+    return false;
+  return event.source === window.parent;
+}
 function useTina(props) {
   const stringifiedQuery = JSON.stringify({
     query: props.query,
@@ -18,6 +37,7 @@ function useTina(props) {
       return addMetadata(id, dataCopy, []);
     }
   }, [props.data, id]);
+  const trustedAdminOrigins = useTrustedAdminOrigins();
   const [data, setData] = React.useState(processedData);
   const [isClient, setIsClient] = React.useState(false);
   const [quickEditEnabled, setQuickEditEnabled] = React.useState(false);
@@ -89,6 +109,8 @@ function useTina(props) {
     const { experimental___selectFormByFormId, ...rest } = props;
     parent.postMessage({ type: "open", ...rest, id }, window.location.origin);
     const handleMessage = (event) => {
+      if (!isFromAdmin(event, trustedAdminOrigins))
+        return;
       if (event.data.type === "quickEditEnabled") {
         setQuickEditEnabled(event.data.value);
       }
@@ -120,7 +142,7 @@ function useTina(props) {
       window.removeEventListener("message", handleMessage);
       parent.postMessage({ type: "close", id }, window.location.origin);
     };
-  }, [id, setQuickEditEnabled]);
+  }, [id, setQuickEditEnabled, trustedAdminOrigins]);
   return { data, isClient };
 }
 function useEditState() {

package/dist/rich-text/index.js

@@ -1,3 +1,4 @@
+import { sanitizeUrl } from "@tinacms/mdx";
 import React from "react";
 const TinaMarkdown = ({
   content,
@@ -122,7 +123,7 @@ const Node = ({ components, child }) => {
         const Component2 = components[child.type];
         return /* @__PURE__ */ React.createElement(Component2, { ...props });
       }
-      return /* @__PURE__ */ React.createElement("img", { src: child.url, alt: child.alt });
+      return /* @__PURE__ */ React.createElement("img", { src: sanitizeUrl(child.url), alt: child.alt });
     case "a":
       if (components[child.type]) {
         const Component2 = components[child.type];
@@ -133,7 +134,7 @@ const Node = ({ components, child }) => {
       }
       return (
         // @ts-ignore FIXME: TinaMarkdownContent needs to be a union of all possible node types
-        /* @__PURE__ */ React.createElement("a", { href: child.url }, /* @__PURE__ */ React.createElement(TinaMarkdown, { components, content: children }))
+        /* @__PURE__ */ React.createElement("a", { href: sanitizeUrl(child.url) }, /* @__PURE__ */ React.createElement(TinaMarkdown, { components, content: children }))
       );
     case "code_block": {
       let codeString = "";

package/dist/rich-text/static.js

@@ -1,3 +1,4 @@
+import { sanitizeUrl } from "@tinacms/mdx";
 import React from "react";
 const StaticTinaMarkdown = ({
   content,
@@ -91,7 +92,7 @@ const Node = ({
         const Component2 = components[child.type];
         return /* @__PURE__ */ React.createElement(Component2, { ...props });
       }
-      return /* @__PURE__ */ React.createElement("img", { src: child.url, alt: child.alt });
+      return /* @__PURE__ */ React.createElement("img", { src: sanitizeUrl(child.url), alt: child.alt });
     case "a":
       if (components[child.type]) {
         const Component2 = components[child.type];
@@ -100,7 +101,7 @@ const Node = ({
           /* @__PURE__ */ React.createElement(Component2, { ...props }, /* @__PURE__ */ React.createElement(StaticTinaMarkdown, { components, content: children }))
         );
       }
-      return /* @__PURE__ */ React.createElement("a", { href: child.url }, /* @__PURE__ */ React.createElement(StaticTinaMarkdown, { components, content: children }));
+      return /* @__PURE__ */ React.createElement("a", { href: sanitizeUrl(child.url) }, /* @__PURE__ */ React.createElement(StaticTinaMarkdown, { components, content: children }));
     case "code_block": {
       let codeString = "";
       if (Array.isArray(child.children)) {

package/package.json

@@ -2,7 +2,7 @@
   "name": "tinacms",
   "type": "module",
   "typings": "dist/index.d.ts",
-  "version": "3.9.1",
+  "version": "3.9.3",
   "main": "dist/index.js",
   "module": "./dist/index.js",
   "exports": {
@@ -118,9 +118,9 @@
     "yup": "^1.6.1",
     "zod": "^3.24.2",
     "@tinacms/bridge": "0.3.0",
-    "@tinacms/mdx": "2.1.6",
+    "@tinacms/mdx": "2.1.7",
     "@tinacms/schema-tools": "2.8.1",
-    "@tinacms/search": "1.2.17"
+    "@tinacms/search": "1.2.19"
   },
   "devDependencies": {
     "@graphql-tools/utils": "^10.8.1",