build(deps): bump jodit from 4.12.18 to 4.12.21

[dependabot]

Bumps jodit from 4.12.18 to 4.12.21.

Release notes

Sourced from jodit's releases.

4.12.21

🐛 Bug Fix

• Security (stored XSS): the HTML sanitizer (safeHTML) stripped on* event handlers and javascript: links but left several executable constructs in the serialized editor value, so an application that re-rendered editor.value as trusted HTML could execute attacker script. It now also: drops iframe[srcdoc]; removes data:text/html / data:application/xhtml (and SVG data: URLs in iframe/object/embed/frame) sources; and strips javascript:/vbscript:/livescript:/mocha: from every URL-bearing attribute (src, data, action, formaction, poster, background, xlink:href), not just <a href>. Safe data:image/* sources (e.g. base64 PNG/SVG used in <img>) are preserved. Responsibly reported by Yuji Tounai.
• Paste (Insert as Text): pasting multi-line content with the Insert as Text option lost its line breaks — the escaped text kept raw newlines that collapse to spaces when rendered. The Insert as Text path now converts newlines to <br> (gated on nl2brInPlainText, like the plain-text paste path). Fixes #1093.
• Hotkeys: the default keyboard shortcut for Insert Unordered List (Ctrl/Cmd+Shift+8) never fired — both variants were written as a single comma-joined string 'ctrl+shift+8, cmd+shift+8' instead of two separate array entries, so the combined value never matched a real keypress. Fixes #1079.
• Color / Brush button: the brush (text/background color) button never reflected the color under the caret. Its update handler computed the current color into the icon fill but then unconditionally reset icon.fill to an empty string on every toolbar update, discarding it — which also made the icon render invisibly against some themes (editorCssClass). The computed fill is now kept when a color is present (and only cleared when there is none). Fixes #195 and #182.
• Toolbar / Selection: when a text selection was started inside the editor and the mouse button was released outside of the editable area (a drag-select that ends over the page), the editor never received the mouseup event, so the active state of toolbar buttons (Bold, Italic, etc.) was not recalculated and stayed stale. A document-level mouseup listener now re-fires changeSelection when the selection still belongs to the editor, so the toolbar updates correctly. Fixes #1251.
• Media embed (YouTube & Vimeo): real-world share URLs were not converted to an embedded player. For YouTube, short links of the form https://youtu.be/<id>?si=… (the Share button format) and ?t= timestamp links were inserted as plain text — the video id sits in the path but was only read when there was no query string — and /shorts/<id> / /live/<id> produced a broken embed/shorts/<id> src. For Vimeo, ?share=copy tracking params and channels/<name>/<id> / groups/<name>/videos/<id> URLs produced a broken video/channels/… src. convertMediaUrlToVideoEmbed now extracts the video id (and the unlisted Vimeo hash) from the URL path, ignoring tracking params and channel/group/embed/shorts/live prefixes, and also recognises the m.youtube.com (mobile) and music.youtube.com hosts. Fixes #1209.
• Indent / Lists: the Decrease Indent (outdent) toolbar button stayed disabled when the cursor was inside a nested list item, even though Shift+Tab could un-nest it. The button's enabled state only considered an inline indent margin and ignored list nesting. It is now also enabled when the cursor sits in a list whose parent is another list item (matching the tab plugin's outdent behaviour). Fixes #1247.
• Uploader (base64): with uploader.insertImageAsBase64URI = true, dropping or pasting images in formats outside the default imagesExtensions list — notably .svg, .bmp, .webp — failed with Need Url for Ajax Request instead of being inlined as a data URI (the file fell through to the server-upload path). The default imagesExtensions now also includes webp, bmp, svg, tiff and avif. Fixes #1228.
• Paste (Insert only Text): pasting multi-paragraph HTML with the Insert only Text option collapsed everything into a single paragraph — block boundaries became spaces, so the text could no longer be split into list items or separate blocks. stripTags gained an opt-in blockBr mode and the Insert only Text path now uses it (gated on nl2brInPlainText), so paragraphs are separated by <br>. The default stripTags behaviour (space-joined single-line plain text) is unchanged. Fixes #1232.
• Paste from Word: list items pasted from Microsoft Word kept their auto-generated marker text — the bullet glyph or the literal item number (1., 2., …) leaked into the content as plain text. Word emits these markers inside <span style="mso-list:Ignore"> elements that are explicitly flagged as display-only; both paste paths now drop those spans entirely instead of just stripping their attributes — cleanFromWord (the Clean / As text options) and applyStyles (the Keep / insert-as-HTML option). Fixes #948.

🏠 Internal

• Accessibility tests: added a regression test asserting that a toolbar button's aria-label is placed on the interactive <button> element (not only on the wrapper <span>), covering the toolbar-specific case of #1261 (already fixed in 4.9.7).
• Color tests: added a regression test for applying a single font color over a selection that already contains several different colors — every part of the text must be recolored, none left without a color, covering #169 (already fixed in the v4 style engine).

4.12.20

No release notes provided.

Changelog

Sourced from jodit's changelog.

4.12.21

🐛 Bug Fix

• Security (stored XSS): the HTML sanitizer (safeHTML) stripped on* event handlers and javascript: links but left several executable constructs in the serialized editor value, so an application that re-rendered editor.value as trusted HTML could execute attacker script. It now also: drops iframe[srcdoc]; removes data:text/html / data:application/xhtml (and SVG data: URLs in iframe/object/embed/frame) sources; and strips javascript:/vbscript:/livescript:/mocha: from every URL-bearing attribute (src, data, action, formaction, poster, background, xlink:href), not just <a href>. Safe data:image/* sources (e.g. base64 PNG/SVG used in <img>) are preserved. Responsibly reported by Yuji Tounai (@​yousukezan).
• Paste (Insert as Text): pasting multi-line content with the Insert as Text option lost its line breaks — the escaped text kept raw newlines that collapse to spaces when rendered. The Insert as Text path now converts newlines to <br> (gated on nl2brInPlainText, like the plain-text paste path). Fixes #1093.
• Hotkeys: the default keyboard shortcut for Insert Unordered List (Ctrl/Cmd+Shift+8) never fired — both variants were written as a single comma-joined string 'ctrl+shift+8, cmd+shift+8' instead of two separate array entries, so the combined value never matched a real keypress. Fixes #1079.
• Color / Brush button: the brush (text/background color) button never reflected the color under the caret. Its update handler computed the current color into the icon fill but then unconditionally reset icon.fill to an empty string on every toolbar update, discarding it — which also made the icon render invisibly against some themes (editorCssClass). The computed fill is now kept when a color is present (and only cleared when there is none). Fixes #195 and #182.
• Toolbar / Selection: when a text selection was started inside the editor and the mouse button was released outside of the editable area (a drag-select that ends over the page), the editor never received the mouseup event, so the active state of toolbar buttons (Bold, Italic, etc.) was not recalculated and stayed stale. A document-level mouseup listener now re-fires changeSelection when the selection still belongs to the editor, so the toolbar updates correctly. Fixes #1251.
• Media embed (YouTube & Vimeo): real-world share URLs were not converted to an embedded player. For YouTube, short links of the form https://youtu.be/<id>?si=… (the Share button format) and ?t= timestamp links were inserted as plain text — the video id sits in the path but was only read when there was no query string — and /shorts/<id> / /live/<id> produced a broken embed/shorts/<id> src. For Vimeo, ?share=copy tracking params and channels/<name>/<id> / groups/<name>/videos/<id> URLs produced a broken video/channels/… src. convertMediaUrlToVideoEmbed now extracts the video id (and the unlisted Vimeo hash) from the URL path, ignoring tracking params and channel/group/embed/shorts/live prefixes, and also recognises the m.youtube.com (mobile) and music.youtube.com hosts. Fixes #1209.
• Indent / Lists: the Decrease Indent (outdent) toolbar button stayed disabled when the cursor was inside a nested list item, even though Shift+Tab could un-nest it. The button's enabled state only considered an inline indent margin and ignored list nesting. It is now also enabled when the cursor sits in a list whose parent is another list item (matching the tab plugin's outdent behaviour). Fixes #1247.
• Uploader (base64): with uploader.insertImageAsBase64URI = true, dropping or pasting images in formats outside the default imagesExtensions list — notably .svg, .bmp, .webp — failed with Need Url for Ajax Request instead of being inlined as a data URI (the file fell through to the server-upload path). The default imagesExtensions now also includes webp, bmp, svg, tiff and avif. Fixes #1228.
• Paste (Insert only Text): pasting multi-paragraph HTML with the Insert only Text option collapsed everything into a single paragraph — block boundaries became spaces, so the text could no longer be split into list items or separate blocks. stripTags gained an opt-in blockBr mode and the Insert only Text path now uses it (gated on nl2brInPlainText), so paragraphs are separated by <br>. The default stripTags behaviour (space-joined single-line plain text) is unchanged. Fixes #1232.
• Paste from Word: list items pasted from Microsoft Word kept their auto-generated marker text — the bullet glyph or the literal item number (1., 2., …) leaked into the content as plain text. Word emits these markers inside <span style="mso-list:Ignore"> elements that are explicitly flagged as display-only; both paste paths now drop those spans entirely instead of just stripping their attributes — cleanFromWord (the Clean / As text options) and applyStyles (the Keep / insert-as-HTML option). Fixes #948.

🏠 Internal

• Accessibility tests: added a regression test asserting that a toolbar button's aria-label is placed on the interactive <button> element (not only on the wrapper <span>), covering the toolbar-specific case of #1261 (already fixed in 4.9.7).
• Color tests: added a regression test for applying a single font color over a selection that already contains several different colors — every part of the text must be recolored, none left without a color, covering #169 (already fixed in the v4 style engine).

Commits

• 689da8c New version 4.12.21 Read more https://github.com/xdan/jodit/blob/main/CHANGEL...
• f5add4b Merge branch 'main' of github.com:xdan/jodit
• fe63496 New version 4.12.20 Read more https://github.com/xdan/jodit/blob/main/CHANGEL...
• 78d6edc chore: update statoscope reference stats
• aa547df Merge branch 'main' of github.com:xdan/jodit
• f858316 chore: update statoscope reference stats
• f501e83 chore(deps): bump shell-quote and concurrently (#1369)
• 1569fbf Merge branch 'main' of github.com:xdan/jodit
• 5e3b247 fix: harden HTML sanitizer XSS and fix brush color, list hotkey, insert-as-te...
• 862ac99 fix: update changelog for version 4.12.19 with bug fixes and internal improve...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)