You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Link dialog rejects dangerous URL schemes.javascript:, data:, vbscript:, file: (plus case-bypasses like JaVaScRiPt: and whitespace-padded variants) are now dropped at link-insert time. Safe schemes (http, https, mailto, tel, ftp, ftps, sms, xmpp, cid) and # anchors still pass through.
v-html content sanitized before render.ParagraphBlock and TitleBlock now scrub <script>/<style>/<iframe>/on* event handlers and unsafe href / src schemes from block.content before binding it to v-html. Closes the XSS path where a malicious or compromised template JSON could execute code on canvas load. TipTap-authored content (the common case) is unaffected.
Block duplication regenerates nested IDs. Cloning a table, social, or menu block previously reused identical rows[].id / cells[].id / icons[].id / items[].id from the source, violating the unique-id invariant.
Removing a section clears descendant selection. Previously, deleting an ancestor with a child selected left selectedBlockId dangling on the now-orphan id. The full subtree is walked on remove and selection is cleared if any descendant id matches.
addBlock / moveBlock validate columnIndex against the section layout. Passing columnIndex: 5 on a "2"-layout section no longer creates phantom columns persisted into JSON; out-of-range indices are rejected and moveBlock leaves the source intact.
Media-picker callers guard against post-unmount writes.ImageBlock, ImageToolbar, VideoToolbar, and the custom-block ImageField now check an alive flag after await onRequestMedia(). Closing the editor mid-pick no longer triggers zombie emit("update") / pulse-ref writes on a torn-down component.
Keyboard shortcuts scoped to the active editor when two are mounted. Each useEditorCore instance previously installed its own document keydown listener, so a single Cmd+Z fired both editors' undo handlers. The new activeEditorTracker routes shortcuts to the editor the user most recently interacted with (single-editor pages keep the original always-active behavior).
MergeTagSuggestion cancels its pending requestAnimationFrame on exit. The reposition-after-paint frame previously ran after the popup tore down, pinning the Vue app and DOM nodes for one frame.
useMergeTagField.insertMergeTag no longer emits after the host component unmounts. A scope-dispose flag now gates the post-await requestMergeTag() writes (emit + isEditing + nextTick).
useFonts.loadCustomFonts no longer flips isLoaded after dispose. The post-Promise.allSettled write is gated by the same scope-dispose flag.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
javascript:,data:,vbscript:,file:(plus case-bypasses likeJaVaScRiPt:and whitespace-padded variants) are now dropped at link-insert time. Safe schemes (http,https,mailto,tel,ftp,ftps,sms,xmpp,cid) and#anchors still pass through.v-htmlcontent sanitized before render.ParagraphBlockandTitleBlocknow scrub<script>/<style>/<iframe>/on*event handlers and unsafehref/srcschemes fromblock.contentbefore binding it tov-html. Closes the XSS path where a malicious or compromised template JSON could execute code on canvas load. TipTap-authored content (the common case) is unaffected.table,social, ormenublock previously reused identicalrows[].id/cells[].id/icons[].id/items[].idfrom the source, violating the unique-id invariant.selectedBlockIddangling on the now-orphan id. The full subtree is walked on remove and selection is cleared if any descendant id matches.addBlock/moveBlockvalidatecolumnIndexagainst the section layout. PassingcolumnIndex: 5on a"2"-layout section no longer creates phantom columns persisted into JSON; out-of-range indices are rejected andmoveBlockleaves the source intact.ImageBlock,ImageToolbar,VideoToolbar, and the custom-blockImageFieldnow check an alive flag afterawait onRequestMedia(). Closing the editor mid-pick no longer triggers zombieemit("update")/ pulse-ref writes on a torn-down component.useEditorCoreinstance previously installed its owndocumentkeydown listener, so a singleCmd+Zfired both editors' undo handlers. The newactiveEditorTrackerroutes shortcuts to the editor the user most recently interacted with (single-editor pages keep the original always-active behavior).MergeTagSuggestioncancels its pendingrequestAnimationFrameon exit. The reposition-after-paint frame previously ran after the popup tore down, pinning the Vue app and DOM nodes for one frame.useMergeTagField.insertMergeTagno longer emits after the host component unmounts. A scope-dispose flag now gates the post-await requestMergeTag()writes (emit +isEditing+nextTick).useFonts.loadCustomFontsno longer flipsisLoadedafter dispose. The post-Promise.allSettledwrite is gated by the same scope-dispose flag.