Update dependency jodit to v4.12.26 [SECURITY]#1013
Open
renovate[bot] wants to merge 1 commit into
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
4.7.9→4.12.26jodit: Prototype pollution in Jodit via Jodit.modules.Helpers.set()
CVE-2026-55886 / GHSA-vpmm-x3fm-qr5c
More information
Details
Summary
Jodit.modules.Helpers.set(chain, value, obj)walks the dot-separatedchain, creating and following each path segment, without filtering prototype-mutating keys. A chain that begins with (or contains)__proto__,constructor, orprototypelets the final assignment reach and mutateObject.prototype(prototype pollution).Affected
jodit(npm)< 4.12.26Jodit.modules.Helpers.set(chain, value, obj)Proof of Concept
Impact
Applications that pass a user-controlled or partially user-controlled key path into
Jodit.modules.Helpers.set()could be vulnerable to prototype pollution (CWE-1321): unexpected property injection, logic bypass, denial of service, or secondary security issues.Patch
Fixed in 4.12.26 by rejecting any
chainwhose segments include__proto__,constructor, orprototype, reusing the same guard introduced forJodit.configure()in 4.12.18.Credit
Responsibly reported by Junming Wu.
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
xdan/jodit (jodit)
v4.12.26Compare Source
🐛 Bug Fix
Jodit.modules.Helpers.set(chain, value, obj)walked the dot-separatedchainand created/followed each segment without filtering prototype-mutating keys, so a chain such as__proto__.polluted(e.g.set('__proto__.polluted', 'yes', {})) could reach and mutateObject.prototype(CWE-1321).setnow bails out when any segment is__proto__,constructor, orprototype, reusing the same guard added forJodit.configure()in 4.12.18. Responsibly reported by Junming Wu.v4.12.25Compare Source
🐛 Bug Fix
sourceEditorCDNUrlsJSnow points to ACE 1.43.3, which ships an automatic per-line bidi handler and years of complex-script rendering fixes; all existing source-mode integration tests pass against the new build, plus new regression tests for the Thai round-trip and the bidi layer.v4.12.24Compare Source
🚀 New Feature
link.ariaLabelInput(defaultfalse) adds an Aria label text field to the Insert/Edit link form. It reads the existingaria-labelwhen editing and writes it to the<a>on submit (clearing it when empty) — useful for accessibility when several links share the same visible text (e.g. multiple "here" links a screen reader can't tell apart). Addresses #1204.afterImageEditorSaveevent, fired when the user clicks Save / Save as in the image editor (crop/resize). The handler receives the action box{ action: 'resize' | 'crop', box }(and the new name for Save as), so you can react to the applied crop/resize — e.g. update the image's aspect ratio or set its real size. The existingafterImageEditoronly fired when the editor opened. Addresses #820.uploader.beforeUpload(files)hook, called with the file list right before upload (or base64 read). Returnfalseto abort — useful for client-side validation of size/type/count;thisis the uploader (sothis.jis the editor). Addresses #1329.delete.disableCases(aSet<string>) lets you turn off individual Backspace/Delete cleanup behaviors that the plugin applies after the native deletion — e.g.delete: { disableCases: new Set(['join-neighbors']) }stops Backspace at the start of a paragraph from merging it into the previous one. Available keys:remove-unbreakable,remove-not-editable,remove-char,table-cell,remove-empty-parent,remove-empty-neighbor,join-two-lists,join-neighbors,unwrap-first-list-item. Addresses #1060.cleanHTML.collapseEmptyValueToEmptyString(defaultfalse). When the editor holds only a single empty block — e.g.<p><br></p>left in the DOM after the user deletes all content (contenteditable keeps that caret container) —editor.valueand the synced source element now return an empty string''instead of<p><br></p>, which is what forms usually expect on submit. Real content (including a<p><br></p>followed by other blocks) is never collapsed. Addresses #1149.🐛 Bug Fix
controls: { font: { component: 'select' } }), unstyled text showed the editor's raw default font stack (e.g.-apple-system) on the button instead ofDefault. The font control'svaluenow returns an empty value when the computed font-family equals the editor's own default, so the button shows theDefaultlist entry. Fixes #1370.v4.12.23Compare Source
🐛 Bug Fix
<form>instead of jumping to the next match — thepreventDefault()for Enter lived inside a debounced handler, so it ran only after the browser had already dispatched the form submission. Enter is now canceled synchronously, while the search logic itself stays debounced. Fixes #918.ar.jsnever reached the build — the master i18n key list was generated only fromar.js, and every other language is serialized as an array indexed by that list, so existing translations for the ordered-list menu items (Lower Alpha, Lower Greek, Lower Roman, Upper Alpha, Upper Roman — translated in de/es/fi/it/ja/pt_br) and a dozen other keys were silently dropped from every bundle. The key list is now built as the union of all language files. Fixes #997.ownerWindow(editor created inside an iframe): UI components (toolbar collection, popups, dialogs) always kept the globalwindowas their owner window instead of the configured one. Popup/dropdown outside-click close handlers were therefore bound to the wrong window — clicks inside the iframe never reached them, so toolbar dropdowns did not close on an outside click.ViewComponentnow inherits the owner window from its parent view. Fixes #965.getContent): controls rendered throughgetContent(e.g. the FileBrowser Upload button) never ran the status calculation, so theirisDisabled/isActive/updatecallbacks were silently ignored — the Upload button stayed enabled even when the backend permissions (canI('FileUpload')) said otherwise.ToolbarContent.update()now evaluates the control's status like regular toolbar buttons and also propagates the disabled state to nested form controls (the file<input>of the Upload button). Thanks @WatchfulEyeOfZod for the diagnosis and the patch draft. Fixes #1094.iframe: truethe selection toolbar (toolbarInlineForSelection) opened far away from the selected text — the popup was positioned byrange.getBoundingClientRect(), whose coordinates are iframe-local, while the popup itself lives in the host document. The iframe offset is now added to the selection bound. Fixes #1058.text/plainfromnavigator.clipboard.read()even whentext/htmlwas available. The button now prefers the HTML flavor (falling back to plain text), so both paste paths behave the same. Fixes #1061.font-weight: normal; font-size: 24pxvisually overrode the new format, so an<h2>looked exactly like the old text. When a block format is applied, the conflictingfont-size/font-weightinline styles are now removed from the block (other styles like color stay). Fixes #1063.<table>element itself — it landed after</tbody>, which is invalid HTML; on the next parse the browser foster-parents such content out of the table, corrupting the document and causing follow-up DOM errors (theFailed to execute 'appendChild'console spam from the report). The join logic now merges the text into the edge table cell (last cell for Backspace, first for Delete). Covers #1064.askBeforePasteFromWord): office content was frequently mis-detected as plain HTML, so the generic Paste as HTML dialog appeared instead of the Word one. The detector only matched aMicrosoft Word Nmeta generator ormso-styles in double quotes combined with<font>tags — while the raw Word clipboard fragment uses single-quotedstyle='mso-…', unquotedclass=MsoNormal, an unquotedProgIdmeta and office XML namespaces (and modern Word emits no<font>at all); LibreOffice/OpenOffice content was never detected. The detector now also recognizes all of these markers. Fixes #1078.enableDragAndDropFileToEditor: false): dropping a file (e.g. a JPG from another window) into the editor still embedded it — with the option off no handler was bound to thedropevent, nothing calledpreventDefault, and Firefox inserted the dropped image natively. With the option disabled the editor now cancels file drops, so they do nothing — as the option promises. Fixes #1077.select-cellsplugin (click or drag-select a cell — typical for tables pasted from Word) silently did nothing: the cell selection drops or collapses the native range, so the color was committed as a pending caret format in an empty<span>outside the table. When cells are selected and the native selection is collapsed, theforecolor/backgroundcommands now recolor the content of every selected cell (including nested spans carrying their own Word colors). Fixes #1250.shadowRootoption, e.g. a Stencil/web component integration) never opened the cell properties popup (background, vertical align, split/merge, add/remove row & column).document.elementFromPointdoes not pierce shadow boundaries — it returns the shadow host — so theselect-cellsplugin could not find the clicked cell onmouseup. The hit-testing now starts from the configured shadow root inselect-cells(cell selection on click and drag-select),add-new-line(the Break line over tables/images) andPopup.getKeepBound. Fixes #1312.v4.12.22Compare Source
🐛 Bug Fix
<strong>/<em>/… context was lost, so pasting it elsewhere dropped the formatting. Native browser copy keeps that context, but Jodit intercepts copy/cut and serialized only the range contents. The copied fragment is now wrapped in shallow clones of the selection's inline ancestors, like browsers do. Fixes #1202.limitChars+countTextSpaces): the character limiter never counted spaces — even withcountTextSpaces: truethe limit applied to non-space characters only (limitChars: 10allowedI am only 8because only 8 visible characters were counted), while the status-bar counter showed the space-inclusive number. WithcountTextSpaces: truethe limiter now counts characters the same way as the counter — including spaces. Fixes #1144.editor.value = …assignment parsed the HTML into a helper element of the live document to sanitize it, so the browser issued a network request for every<img>in the value — with wrappers that sync the value on each change (e.g. jodit-reactonChange), the image URLs were re-requested on every click/keystroke. The sanitize sandbox is now an inert document (implementation.createHTMLDocument), which never loads sub-resources;Dom.isElement/Dom.isHTMLElementno longer require a browsing context (defaultView), so the sanitizer keeps working on inert nodes. The internalsafeHTMLhook is now fired as an event for extensibility. Fixes #1237.toolbarInlineForSelection): clicking a button in the selection toolbar (e.g. Bold) applied the command but closed the toolbar, even though the selection was still active — applying several formats required re-selecting the same text again and again. After a command fired from inside the popup, the selection toolbar is now reopened while the selection is not collapsed. Fixes #1238.allowTags): whencleanHTML.allowTagswas configured as a map with per-tag attribute rules (e.g.{p: true, a: {href: true}}) and the content contained a tag outside the list that had attributes (e.g.<meta charset="utf-8">from pasted e-mail HTML), the cleanup worker threwTypeError: Cannot read properties of undefinedon every pass — the editor "crashed" on the first click and disallowed tags were never removed. The attribute filter now skips tags that are not in the allow list (the tags filter removes them). Fixes #1224.<(e.g.TD}gy{<KMj3ScW1[efbi) lost everything after the bracket — the clipboard text was inserted through the HTML path, so<KMj3…was parsed as an unclosed tag and swallowed the rest of the string. When the clipboard contains onlytext/plain(and it is not actual HTML), special characters are now escaped before insertion, so<,>and&survive as literal text; thenl2brInPlainTextline-break conversion still applies after escaping. Fixes #1227.langs/tr.jscontained a copy of the German translation for that key. Replaced with the proper Turkish text. Fixes #1245.dialog.minWidth/dialog.minHeightoptions when set, otherwise the sum of the header, the content's CSSmin-heightand the footer (and the footer buttons' row width). Fixes #1262.iframemode — while dragging, the editor height jumped between two values. Same root cause as the image-resizer fix below:mousemoveevents proxied from the editor's iframe carry iframe-viewport coordinates and were mixed as-is with host-window ones; they are now shifted into the host coordinate space (checked viae.view). Fixes #1287.iframemode (e.g. witheditHTMLDocumentMode) — the size jumped while dragging, making it impossible to set precisely. During a drag,mousemoveevents arrive both from the host window (pointer over the resize frame) and proxied from the editor's iframe (pointer over the content), but the iframe-viewport coordinate correction was applied to all of them, so host-window events were shifted by the workplace offset. The correction is now applied only to events that originate from the iframe window (e.view). Fixes #1264.🏠 Internal
allowTabNavigation: truean inner popup (a dropdown opened from a button inside another popup — e.g. the image Horizontal align list) is positioned next to its trigger button. With that option the inner popup is appended into the button inside the outer popup, whose CSStransformshiftsposition: fixedcoordinates; covers #1265 (already fixed in 4.12.8 by thegetFixedPositionOffsetcontaining-block compensation from #1350).shadowRootoption the image resizer frame, the image properties dialog (double click) and the inline popup all open correctly inside the shadow root. Covers the scenario from #1109, which does not reproduce with a vanilla Shadow DOM.data:) image is replaced with ablob:URL only in the view and never leaks intoeditor.value, the source element, the controlled-value loop (value re-assigned on every change, as jodit-react does) or the value left afterdestruct()(React remount). Covers the scenario from #1244, which does not reproduce in the core editor.editor.selection.insertHTML()called after the editor lost focus (e.g. from a click handler on a non-focusable page element) inserts at the previously saved caret position instead of the start of the editor. Covers the scenario from #1239, which does not reproduce on the current version in Chrome or Firefox.<td>itself (as Word produces) rather than on inner spans. Covers the scenario from #1221, which does not reproduce on the current version.mousemove, the Firefox redraw-hack cleanup, debounced history changes and the browser'sclickdispatched on the commonTRancestor. Covers the scenario from #1174, which does not reproduce on the current version in Chrome or Firefox.<span style="letter-spacing:-.5pt"> </span>) survive pasting in every mode (keep, clean, text). Covers the scenario from #1230, which does not reproduce on the current version (verified with the full table HTML from the issue).iframe: true+editHTMLDocumentMode: truemode the image resize frame is hidden when the iframe content is scrolled (theiframeplugin proxies the inner window'sscrollevent into the main window, where theresizerplugin listens). Covers the scenario from #1266, which does not reproduce on the current version.v4.12.21Compare Source
🐛 Bug Fix
safeHTML) strippedon*event handlers andjavascript:links but left several executable constructs in the serialized editor value, so an application that re-renderededitor.valueas trusted HTML could execute attacker script. It now also: dropsiframe[srcdoc]; removesdata:text/html/data:application/xhtml(and SVGdata:URLs iniframe/object/embed/frame) sources; and stripsjavascript:/vbscript:/livescript:/mocha:from every URL-bearing attribute (src,data,action,formaction,poster,background,xlink:href), not just<a href>. Safedata:image/*sources (e.g. base64 PNG/SVG used in<img>) are preserved. Responsibly reported by Yuji Tounai (@yousukezan).<br>(gated onnl2brInPlainText, like the plain-text paste path). Fixes #1093.Ctrl/Cmd+Shift+8) never fired — both variants were written as a single comma-joined string'ctrl+shift+8, cmd+shift+8'instead of two separate array entries, so the combined value never matched a real keypress. Fixes #1079.updatehandler computed the current color into the icon fill but then unconditionally reseticon.fillto an empty string on every toolbar update, discarding it — which also made the icon render invisibly against some themes (editorCssClass). The computed fill is now kept when a color is present (and only cleared when there is none). Fixes #195 and #182.mouseupevent, so the active state of toolbar buttons (Bold, Italic, etc.) was not recalculated and stayed stale. A document-levelmouseuplistener now re-fireschangeSelectionwhen the selection still belongs to the editor, so the toolbar updates correctly. Fixes #1251.https://youtu.be/<id>?si=…(the Share button format) and?t=timestamp links were inserted as plain text — the video id sits in the path but was only read when there was no query string — and/shorts/<id>//live/<id>produced a brokenembed/shorts/<id>src. For Vimeo,?share=copytracking params andchannels/<name>/<id>/groups/<name>/videos/<id>URLs produced a brokenvideo/channels/…src.convertMediaUrlToVideoEmbednow extracts the video id (and the unlisted Vimeo hash) from the URL path, ignoring tracking params and channel/group/embed/shorts/liveprefixes, and also recognises them.youtube.com(mobile) andmusic.youtube.comhosts. Fixes #1209.Shift+Tabcould un-nest it. The button's enabled state only considered an inline indent margin and ignored list nesting. It is now also enabled when the cursor sits in a list whose parent is another list item (matching thetabplugin's outdent behaviour). Fixes #1247.uploader.insertImageAsBase64URI = true, dropping or pasting images in formats outside the defaultimagesExtensionslist — notably.svg,.bmp,.webp— failed withNeed Url for Ajax Requestinstead of being inlined as a data URI (the file fell through to the server-upload path). The defaultimagesExtensionsnow also includeswebp,bmp,svg,tiffandavif. Fixes #1228.stripTagsgained an opt-inblockBrmode and the Insert only Text path now uses it (gated onnl2brInPlainText), so paragraphs are separated by<br>. The defaultstripTagsbehaviour (space-joined single-line plain text) is unchanged. Fixes #1232.1.,2., …) leaked into the content as plain text. Word emits these markers inside<span style="mso-list:Ignore">elements that are explicitly flagged as display-only; both paste paths now drop those spans entirely instead of just stripping their attributes —cleanFromWord(the Clean / As text options) andapplyStyles(the Keep / insert-as-HTML option). Fixes #948.🏠 Internal
aria-labelis placed on the interactive<button>element (not only on the wrapper<span>), covering the toolbar-specific case of #1261 (already fixed in 4.9.7).v4.12.20Compare Source
v4.12.18Compare Source
🚀 New Feature
startDragElementevent so another plugin can begin dragging a specific element programmatically — e.g. from a dedicated drag handle/anchor shown next to a block. Fireeditor.e.fire('startDragElement', element, mouseEvent); the element does not need to be listed indraggableTags(the listener is registered even when that list is empty), so handles can move elements such as<pre>code blocks that are not auto-draggable.🐛 Bug Fix
clean-htmlremoved them. The caret is now moved back into the innermost pending marker on click, andclean-htmlkeeps empty inline elements that hold the live caret, so the next typed character keeps every format. Fixes #1291.Jodit.configure()— and the internalConfigMerge/ConfigProtohelpers — merged user-supplied options without filtering prototype-mutating keys, so a payload nested under an existing plain-object option such ascontrols(e.g.{"controls":{"__proto__":{"polluted":"yes"}}}) could reach and mutateObject.prototype(CWE-1321). Merging now rejects__proto__,constructor, andprototypeat every nesting level. Responsibly reported by Junming Wu.💅 Polish
<pre>code sample) no longer leaves an invisible filler text node () next to it. Previously this stray node showed up as an extra empty line untilclean-htmlremoved it later; it is now stripped inonDropright after insertion.v4.12.17Compare Source
🐛 Bug Fix
:clickhandler now moves the caret to the end of the item's own text in that case. Fixes #1296.v4.12.16Compare Source
🐛 Bug Fix
<br>line break. TheremoveExtraBrcleanup (run after the style marker is inserted) deleted the following<br>even when real content followed it. It now only removes a trailing<br>(with nothing meaningful after it), so line breaks in the middle of a block are preserved. Fixes #1302.v4.12.15Compare Source
🐛 Bug Fix
HierarchyRequestError: ... insertNode ... #document(the normal delete ran against a collapsed, document-level range). Backspace/Delete on a multi-cell selection now clears the content of the selected cells instead. Fixes #1273.v4.12.14Compare Source
🐛 Bug Fix
checkRemoveCharwalked out of the nested<li>/list and removed a character from the parent item's text. It no longer crosses a list-item boundary, so the list cases handle the operation cleanly. Fixes #1277.v4.12.13Compare Source
🐛 Bug Fix
<em><strong><u>…</u></strong></em>) that was preceded by a<br>deleted the entire run instead of just the line break.checkJoinNeighborswalked up to the inline element and tried to merge its content into the preceding<br>(a void element), which removed the whole element. It now removes the<br>as a single unit. Fixes #1282.v4.12.12Compare Source
🐛 Bug Fix
resizehandler (bound towindow.resizewhenglobalFullSizeis on) re-saved the "original" size on every window resize, so it captured the fullscreen size. The original size is now stored only once when entering fullsize and restored on exit. Fixes #1278.v4.12.11Compare Source
🐛 Bug Fix
#000000) did nothing when the editor's default text color had been changed. The redundancy check intoggleAttributesmeasured the element's "native" value inside an isolated iframe, where the default text color is always the browser black — so black always matched and was skipped. The probe now inherits the editor's effective text color (the editor default is#222, not pure black), so an explicitly chosen color is applied correctly. Fixes #1311. (Note: applying black to a link now keeps the anchor and sets the color, which matches the original intent of #936.)v4.12.10Compare Source
v4.12.9Compare Source
🐛 Bug Fix
TypeError: Cannot read properties of undefined (reading 'Infinity'). When the drag left a stale selection anchor and the drop target was no longer part of the table's formal matrix,getSelectedBoundreturned itsInfinitysentinel and__onStopSelectiondereferenced an out-of-range matrix slot. It now bails out gracefully when the selected cells can't be resolved in the table. Fixes #1357.v4.12.8Compare Source
🐛 Bug Fix
transform— e.g. a modal/flyout. Both elements useposition: fixed, and a transformed ancestor becomes their containing block, so the viewport coordinates were shifted by that ancestor's top-left corner. Added agetFixedPositionOffsethelper that returns the containing-block offset ({0, 0}when there is no transformed ancestor, so normal usage is unaffected) and subtracted it when positioning the tooltip and popup. Fixes #1350.v4.12.7Compare Source
🐛 Bug Fix
NotFoundError: Failed to execute 'insertBefore' on 'Node'for tables with mixed rowspans (e.g. after inserting a column and repeatedly splitting/merging cells). When a row with a rowspan cell was removed, the cell was moved into the next row and inserted before the cell that logically follows it — but that reference cell can physically belong to an earlier<tr>(when it spans down from a row above), which is not a child of the target row.__removeRownow picks the first following cell that actually belongs to the next row (falling back toappendChild). Fixes #1358.v4.12.6Compare Source
🏠 Internal
browserType.launch: Executable doesn't existafter Playwright 1.60.0 was published. The screenshots Docker image was pinned to thev1.58.0-jammybase but installedplaywright/@playwright/testunpinned, so the runner jumped to 1.60.0 while the image only shipped the 1.58 browser binaries. Bumped the base image tov1.60.0-jammy, pinned the install to1.60.0, and aligned@playwright/testinpackage.jsonto^1.60.0so the runner and the bundled browsers always match.v4.12.5Compare Source
🏠 Internal
npm cifailed with anERESOLVEerror becausetypescript@^6.0.2clashed with the peer range of@typescript-eslint/*@​8.57(>=4.8.4 <6.0.0). Bumped@typescript-eslint/eslint-pluginand@typescript-eslint/parserto^8.60.1, whose peer range (>=4.8.4 <6.1.0) allows TypeScript 6, and regenerated the lockfile so a cleannpm ciinstall succeeds. Fixes #1368.v4.12.4Compare Source
🐛 Bug Fix
AudioContexton every result and never closed it. During continuous dictation these piled up — leaking until the browser's per-page limit was hit and the overlapping audio turned into a "roar" that could crash the tab. The sound helper now reuses a singleAudioContextper recognizer and releases it ondestruct. Recognizer cleanup is also tied to the editor lifecycle (previously the toolbar button'sbeforeDestruct), so it survives toolbar rebuilds and is freed when the editor is destroyed.v4.12.3Compare Source
v4.12.2Compare Source
🐛 Bug Fix
Jodit.modules.Helpers.set(chain, value, obj)walked the dot-separatedchainand created/followed each segment without filtering prototype-mutating keys, so a chain such as__proto__.polluted(e.g.set('__proto__.polluted', 'yes', {})) could reach and mutateObject.prototype(CWE-1321).setnow bails out when any segment is__proto__,constructor, orprototype, reusing the same guard added forJodit.configure()in 4.12.18. Responsibly reported by Junming Wu.v4.11.15Compare Source
🏠 Internal
v4.11.14Compare Source
🚀 New Feature
Add
stream()method toAjaxclass for SSE (Server-Sent Events) streaming over XMLHttpRequest. Returns anAsyncGenerator<string>that yields parseddata:fields incrementally viaonprogress.📝 Documentation
src/core/request/README.mdwith full API reference, usage examples, SSE streaming guide, AbortController integration, and real-world patterns (FileBrowser, Uploader, plugins).v4.11.13Compare Source
v4.11.11Compare Source
v4.11.10Compare Source
v4.11.9Compare Source
v4.11.8Compare Source
v4.11.7Compare Source
🚀 New Feature
backSpaceAfterDeleteevent triggered after backspace operationsDom.findFirstMatchedNode()method for retrieving first matched node in DOM tree💅 Polish
wrapNodesplugin after backspace🏠 Internal
v4.11.6Compare Source
🏠 Internal
v4.11.5Compare Source
🚀 New Feature
ProgressBar.showFileUploadAnimation(from?, to?)— animated file icon that flies from a given point and fades out. Coordinates are relative to the editor container. Bothfromandtoare optional with sensible defaults. The animation is automatically cleaned up ondestruct().v4.11.4Compare Source
💥 Breaking Change
.jodit-icontransform-originchanged from0 0 !importanttovar(--jd-icon-transform-origin)(defaultcenter), and the!importantflag was removed. If your layout depends on the old top-left origin, restore it via CSS:🚀 New Feature
IUIIconStatenow supportsscaleproperty — when set, appliestransform: scale(...)to the SVG icon element, overriding the CSS variableIControlType.iconnow acceptsstring | IUIIconState— allows setting icon name, fill, iconURL, and scale directly from toolbar button configPer-button scale example:
CSS custom properties
--jd-icon-transform-originand--jd-icon-transform-scalefor global icon scaling. Override them to resize all editor icons at once. Per-buttonscaleinIUIIconStatetakes priority over the CSS variable.Global scale override via CSS:
v4.11.3Compare Source
Full Changelog: xdan/jodit@4.11.2...4.11.3
v4.11.2Compare Source
💥 Breaking Change
cleanHTML.denyTagsdefault changed from'script'to'script,iframe,object,embed'— iframes, objects, and embeds are now blocked by defaultcleanHTML.removeOnErroris deprecated in favor ofcleanHTML.removeEventAttributes— allon*event handler attributes (onerror,onclick,onload,onmouseover, etc.) are now removed by default, not justonerrorcleanHTML.safeLinksTargetis nowtrueby default — links withtarget="_blank"automatically getrel="noopener noreferrer"cleanHTML.sandboxIframesInContentis nowtrueby default — all<iframe>elements in editor content getsandbox=""attributecleanHTML.convertUnsafeEmbedsis now['object', 'embed']by default — listed elements are converted to sandboxed<iframe>🏠 Internal
🚀 New Feature
cleanHTML.removeEventAttributes— removes allon*event handler attributes for comprehensive XSS protection (onerror, onclick, onload, onmouseover, onfocus, etc.)cleanHTML.safeLinksTarget— automatically addsrel="noopener noreferrer"totarget="_blank"links to preventwindow.openerattackscleanHTML.allowedStyles— whitelist of allowed CSS properties instyleattributes, prevents CSS injection attacks (e.g. data exfiltration viabackground-image: url(...))cleanHTML.sanitizer— hook for external sanitizer integration (e.g. DOMPurify). Called before Jodit's built-in sanitizationcleanHTML.sandboxIframesInContent— addssandbox=""to all<iframe>in editor contentcleanHTML.convertUnsafeEmbeds(false | string[]) — converts listed tags to sandboxed<iframe>, customizable list📝 Documentation
docs/security.mdcovering XSS protection, CSP, Trusted Types, HTML Sanitizer API, server-side sanitization, and hardened configuration examplesv4.10.3Compare Source
Full Changelog: xdan/jodit@4.10.2...4.10.3
v4.10.2Compare Source
What's Changed
New Contributors
Full Changelog: xdan/jodit@4.10.1...4.10.2
v4.10.1Compare Source
💥 Breaking Change
popup: { cells: Jodit.atom(['valign', 'deleteTable', ...]) }) #1328delete→deleteTableto avoid conflict withdocument.execCommand('delete')v4.9.19Compare Source
What's Changed
Full Changelog: xdan/jodit@4.9.18...4.9.19
v4.9.16Compare Source
🏠 Internal
v4.9.15Compare Source
🐛 Bug Fix
v4.9.14Compare Source
🐛 Bug Fix
v4.9.13Compare Source
Full Changelog: xdan/jodit@4.9.12...4.9.13
v4.9.12Compare Source
🚀 New Feature
v4.9.11Compare Source
🚀 New Feature
getRole():stringmethod has been added toUIElement. This allows you to set container roles for accessibility.UIGrouprole is set to list.[
v4.9.10](https://redirect.github.com/xdConfiguration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.