Version 3.0.0 released
This main feature of this release is fix to prevent XSS with the default commands along with dropping IE and legacy Edge support.
The editor also now includes the dompurify library to help prevent any future XSS attacks. This isn’t fully backwards compatible as
dompurify may cause some HTML to be stripped. If you have any code that includes iframes, the allowed URLs will need to be added to the new
The other breaking change is that the no longer supports IE and legacy Edge. The editor can still run in source mode in those browsers if the
runWithoutWysiwygSupport option is enabled.
There’s also some bug fixes included in this release too.
Thanks to everyone who contributed!
- Fixes XSS issues by using dompurify.
– Thanks to @mufeedvh for fixing.
- Fixed missing user input escaping for default commands.
– Thanks to @dvz for fixing.
- Fixed bug so nvda can read editor content.
– Thanks to @repl-shenoy-sukumaran for reporting and fixing.
- Fixed bug with alignment removing line breaks in lists,
– Thanks to @lucaslg for reporting and @dclause for fixing.
- Fixed BBCode bug with list commands in source mode not wrapping selected text.
– Thanks to @tomdav999 for reporting and @live627 for fixing.
- Fixed issue with comment nodes sometimes causing an error.
– Thanks to @karolinaskiba for reporting
- Fixed bug with BBCode attributes containing multiple quotes where only the first was being escaped.
- Removed unselectable parameter from createDropDown method which was needed for IE
- Removed ie property which used to give the current IE version