Skip to content

build(deps): bump jodit from 4.12.29 to 4.12.32#4458

Merged
thorsten merged 1 commit into
mainfrom
dependabot/npm_and_yarn/jodit-4.12.32
Jul 6, 2026
Merged

build(deps): bump jodit from 4.12.29 to 4.12.32#4458
thorsten merged 1 commit into
mainfrom
dependabot/npm_and_yarn/jodit-4.12.32

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 6, 2026

Copy link
Copy Markdown
Contributor

Bumps jodit from 4.12.29 to 4.12.32.

Release notes

Sourced from jodit's releases.

4.12.32

🐛 Bug Fix

  • Editor size / external toolbar: when the toolbar option points to an external element (the toolbar renders outside the editor container), the workplace height was still computed as container height − toolbar height, so the editing area was wrongly shrunk by the height of a toolbar that wasn't inside the container. The toolbar height is now subtracted only when the toolbar actually lives inside the container. Reported in #920.

4.12.31

🐛 Bug Fix

  • Security / sanitizeHTMLElement (javascript: link XSS, CWE-79/83): the href safety check used a bare href.trim().indexOf('javascript') === 0 — unlike the isDangerousUrl normalization applied to every other URL attribute, it was case-sensitive and did not strip control bytes, tabs or newlines. So a dangerous href survived sanitization (and persisted in the stored editor.value) when the scheme was upper/mixed-case (JAVASCRIPT:), prefixed by a C0 control byte (\x01javascript:), or split by an embedded tab/newline (java\tscript:) — all of which a browser still resolves to javascript: on click, executing attacker script in any page that renders the stored value. href is now routed through the same isDangerousUrl normalization (strips control characters and lowercases before matching the scheme), so these obfuscations are neutralized like every other URL attribute. Affected all versions through 4.12.30. Responsibly reported by Younghun Ko of AhnLab (@​koyokr) (GHSA-j839-gqq4-gf9j).

4.12.30

🐛 Bug Fix

  • Paste from Excel / "Keep" formatting: content copied from MS Excel (and other apps that wrap the clipboard in a bare <html> tag) lost all styling — table cells styled by class in a <style> block (e.g. .xl31 { background:#FCE4D6 }, the typical Excel export) came in with no background, fonts or alignment. applyStyles (the Paste as HTML → Keep path) only inlined <style> rules when the opening tag carried attributes (<html …>, as Word emits); Excel emits a bare <html>, so the rules were never inlined and were dropped together with the <style> block. The opening <html> tag is now matched with or without attributes, so class-based styling is inlined onto the cells and survives. Reported in #1362.
Changelog

Sourced from jodit's changelog.

4.12.32

🐛 Bug Fix

  • Editor size / external toolbar: when the toolbar option points to an external element (the toolbar renders outside the editor container), the workplace height was still computed as container height − toolbar height, so the editing area was wrongly shrunk by the height of a toolbar that wasn't inside the container. The toolbar height is now subtracted only when the toolbar actually lives inside the container. Reported in #920.

4.12.31

🐛 Bug Fix

  • Security / sanitizeHTMLElement (javascript: link XSS, CWE-79/83): the href safety check used a bare href.trim().indexOf('javascript') === 0 — unlike the isDangerousUrl normalization applied to every other URL attribute, it was case-sensitive and did not strip control bytes, tabs or newlines. So a dangerous href survived sanitization (and persisted in the stored editor.value) when the scheme was upper/mixed-case (JAVASCRIPT:), prefixed by a C0 control byte (\x01javascript:), or split by an embedded tab/newline (java\tscript:) — all of which a browser still resolves to javascript: on click, executing attacker script in any page that renders the stored value. href is now routed through the same isDangerousUrl normalization (strips control characters and lowercases before matching the scheme), so these obfuscations are neutralized like every other URL attribute. Affected all versions through 4.12.30. Responsibly reported by Younghun Ko of AhnLab (@​koyokr) (GHSA-j839-gqq4-gf9j).

4.12.30

🐛 Bug Fix

  • Paste from Excel / "Keep" formatting: content copied from MS Excel (and other apps that wrap the clipboard in a bare <html> tag) lost all styling — table cells styled by class in a <style> block (e.g. .xl31 { background:#FCE4D6 }, the typical Excel export) came in with no background, fonts or alignment. applyStyles (the Paste as HTML → Keep path) only inlined <style> rules when the opening tag carried attributes (<html …>, as Word emits); Excel emits a bare <html>, so the rules were never inlined and were dropped together with the <style> block. The opening <html> tag is now matched with or without attributes, so class-based styling is inlined onto the cells and survives. Reported in #1362.
Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [jodit](https://github.com/xdan/jodit) from 4.12.29 to 4.12.32.
- [Release notes](https://github.com/xdan/jodit/releases)
- [Changelog](https://github.com/xdan/jodit/blob/main/CHANGELOG.md)
- [Commits](xdan/jodit@4.12.29...4.12.32)

---
updated-dependencies:
- dependency-name: jodit
  dependency-version: 4.12.32
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file JavaScript Pull requests that update Javascript code labels Jul 6, 2026
@thorsten thorsten merged commit 32ef8bc into main Jul 6, 2026
13 checks passed
@thorsten thorsten deleted the dependabot/npm_and_yarn/jodit-4.12.32 branch July 6, 2026 04:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file JavaScript Pull requests that update Javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant