When [we fixed a XSS vuln](https://github.com/ueberdosis/tiptap/pull/5160), we inadvertently broke the ability to use custom protocols, this resolves that by allowing additional custom protocols to be considered valid and not stripped out
This change introduces two new top-level options to the editor: `enableContentCheck` & `onContentError` for dealing with content supplied that does not match the prose-mirror schema generated by the set of tiptap extensions.
`enableContentCheck` allows the app developer to opt into the behavior to check for invalid schemas (this change is otherwise backwards compatible).
When true, this will try to parse the document, and any content that does not match the schema will emit a `contentError` which can be listened to via the `onContentError` callback.
Fixes risks outline in #4600 by verifying that any src urls are valid
youtube URLs before rendering as HTML. My thoughts are that this attack
vector would be difficult to use because the attacker would have to have
a way to manipualte the TipTap payload in a manner that bypasses the
youtube extension's `setYoutubeVideo` command, which already checks for
valid URLs.
* Fix TipTap getting loaded as CommonJS when the intent is to use the ES Module version.
* `package.json` change also makes explicit exports required
* Update `core` utilities exports to include all utilities
* Update tests to use exported utilities
Previously, setting marks did no schema validation checks for dry runs
(like the `.can()` command). The `setMark` raw command will now properly
check if the mark is possible to be set given the editor node/mark
schema.
Co-authored-by: Cameron Hessler <cameron.hessler@buildertrend.com>
Declare lowlight as a peerDependency to delegate
the control of which version of lowlight is used
to the client application
Co-authored-by: Enrique Alcantara <ealcantara@gitlab.com>
* add new addOptions option
* replace defaultOptions with addOptions for all extensions
* replace defaultOptions with addOptions for all demos
* replace defaultOptions with addOptions in docs
* refactoring
* refactoring
* drop object support for addOptions
* fix optional options
* fix tests
* refactoring
* improve link regex
* WIP: add new markPasteRule und linkify to image mark
* move copy of inputrule to core
* trigger codeblock inputrule on enter
* refactoring
* add regex match to markpasterulematch
* refactoring
* improve link regex
* WIP: add new markPasteRule und linkify to image mark
* move copy of inputrule to core
* trigger codeblock inputrule on enter
* refactoring
* add regex match to markpasterulematch
* update linkify
* wip
* wip
* log
* wip
* remove debug code
* wip
* wip
* wip
* wip
* wip
* wip
* wip
* wip
* rename matcher
* add data to ExtendedRegExpMatchArray
* remove logging
* add code option to marks, prevent inputrules in code mark
* remove link regex
* fix codeblock inputrule on enter
* refactoring
* refactoring
* refactoring
* refactoring
* fix position bug
* add test
* export InputRule and PasteRule
* clean up link demo
* fix types
Use the extension name when initializing the
LowlightPlugin. In this way, several extensions
can make use of the same plugin
Co-authored-by: Enrique Alcantara <ealcantara@gitlab.com>