diff --git a/thirdparty/tinymce/README.md b/thirdparty/tinymce/README.md new file mode 100644 index 000000000..8220176c8 --- /dev/null +++ b/thirdparty/tinymce/README.md @@ -0,0 +1,8 @@ +# THIS PACKAGE CONTAINS MODIFICATIONS + +This is not just a direct copy of tinymce 4.9.11 - it contains various security patches. + +The source for this copy of tinymce is at https://github.com/silverstripe/tinymce/ + +To build out the dist files, simply follow the instructions in the readme of that repository, though note that you can run `npx grunt` instead of installing grunt if you want. +The relevant files will be in the `tmp/TinyMCE.4.9.11.nupkg` file that grunt builds out. diff --git a/thirdparty/tinymce/tinymce.js b/thirdparty/tinymce/tinymce.js index 657037e96..94dd04e56 100644 --- a/thirdparty/tinymce/tinymce.js +++ b/thirdparty/tinymce/tinymce.js @@ -17630,11 +17630,19 @@ } return sanitizedText; }; - var isInvalidUri = function (settings, uri) { + var safeSvgDataUrlElements = [ + 'img', + 'video' + ]; + var blockSvgDataUris = function (allowSvgDataUrls, tagName) { + var allowed = allowSvgDataUrls === null || allowSvgDataUrls === undefined ? contains(safeSvgDataUrlElements, tagName) : allowSvgDataUrls; + return !allowed; + }; + var isInvalidUri = function (settings, uri, tagName) { if (settings.allow_html_data_urls) { return false; } else if (/^data:image\//i.test(uri)) { - return settings.allow_svg_data_urls === false && /^data:image\/svg\+xml/i.test(uri); + return blockSvgDataUris(settings.allow_svg_data_urls, tagName) && /^data:image\/svg\+xml/i.test(uri); } else { return /^data:/i.test(uri); } @@ -17717,7 +17725,7 @@ stack.length = pos; } }; - var parseAttribute = function (match, name, value, val2, val3) { + var parseAttribute = function (tagName, name, value, val2, val3) { var attrRule, i; var trimRegExp = /[\s\u0000-\u001F]+/g; name = name.toLowerCase(); @@ -17753,7 +17761,7 @@ if (scriptUriRegExp.test(uri)) { return; } - if (isInvalidUri(settings, uri)) { + if (isInvalidUri(settings, uri, tagName)) { return; } } @@ -17822,7 +17830,10 @@ } attrList = []; attrList.map = {}; - attribsValue.replace(attrRegExp, parseAttribute); + attribsValue.replace(attrRegExp, function (match, name, val, val2, val3) { + parseAttribute(value, name, val, val2, val3); + return ''; + }); } else { attrList = []; attrList.map = {}; @@ -20416,6 +20427,14 @@ } return collection; }; + Node.prototype.children = function () { + var self = this; + var collection = []; + for (var node = self.firstChild; node; node = node.next) { + collection.push(node); + } + return collection; + }; Node.prototype.empty = function () { var self = this; var nodes, i, node; @@ -20681,6 +20700,23 @@ whitespaceElements = schema.getWhiteSpaceElements(); textBlockElements = schema.getTextBlockElements(); specialElements = schema.getSpecialElements(); + var removeOrUnwrapInvalidNode = function (node, originalNodeParent) { + if (originalNodeParent === void 0) { + originalNodeParent = node.parent; + } + if (specialElements[node.name]) { + node.empty().remove(); + } else { + var children = node.children(); + for (var _i = 0, children_1 = children; _i < children_1.length; _i++) { + var childNode_1 = children_1[_i]; + if (!schema.isValidChild(originalNodeParent.name, childNode_1.name)) { + removeOrUnwrapInvalidNode(childNode_1, originalNodeParent); + } + } + node.unwrap(); + } + }; for (ni = 0; ni < nodes.length; ni++) { node = nodes[ni]; if (!node.parent || node.fixed) { @@ -20706,31 +20742,35 @@ parents.push(parent); } if (parent && parents.length > 1) { - parents.reverse(); - newParent = currentNode = filterNode(parents[0].clone()); - for (i = 0; i < parents.length - 1; i++) { - if (schema.isValidChild(currentNode.name, parents[i].name)) { - tempNode = filterNode(parents[i].clone()); - currentNode.append(tempNode); + if (schema.isValidChild(parent.name, node.name)) { + parents.reverse(); + newParent = currentNode = filterNode(parents[0].clone()); + for (i = 0; i < parents.length - 1; i++) { + if (schema.isValidChild(currentNode.name, parents[i].name)) { + tempNode = filterNode(parents[i].clone()); + currentNode.append(tempNode); + } else { + tempNode = currentNode; + } + for (childNode = parents[i].firstChild; childNode && childNode !== parents[i + 1];) { + nextNode = childNode.next; + tempNode.append(childNode); + childNode = nextNode; + } + currentNode = tempNode; + } + if (!isEmpty$2(schema, nonEmptyElements, whitespaceElements, newParent)) { + parent.insert(newParent, parents[0], true); + parent.insert(node, newParent); } else { - tempNode = currentNode; + parent.insert(node, parents[0], true); } - for (childNode = parents[i].firstChild; childNode && childNode !== parents[i + 1];) { - nextNode = childNode.next; - tempNode.append(childNode); - childNode = nextNode; + parent = parents[0]; + if (isEmpty$2(schema, nonEmptyElements, whitespaceElements, parent) || hasOnlyChild(parent, 'br')) { + parent.empty().remove(); } - currentNode = tempNode; - } - if (!isEmpty$2(schema, nonEmptyElements, whitespaceElements, newParent)) { - parent.insert(newParent, parents[0], true); - parent.insert(node, newParent); } else { - parent.insert(node, parents[0], true); - } - parent = parents[0]; - if (isEmpty$2(schema, nonEmptyElements, whitespaceElements, parent) || hasOnlyChild(parent, 'br')) { - parent.empty().remove(); + removeOrUnwrapInvalidNode(node); } } else if (node.parent) { if (node.name === 'li') { @@ -20750,11 +20790,7 @@ if (schema.isValidChild(node.parent.name, 'div') && schema.isValidChild('div', node.name)) { node.wrap(filterNode(new Node$1('div', 1))); } else { - if (specialElements[node.name]) { - node.empty().remove(); - } else { - node.unwrap(); - } + removeOrUnwrapInvalidNode(node); } } } @@ -20930,6 +20966,7 @@ parser = SaxParser$1({ validate: validate, allow_script_urls: settings.allow_script_urls, + allow_svg_data_urls: settings.allow_svg_data_urls, allow_conditional_comments: settings.allow_conditional_comments, self_closing_elements: cloneAndExcludeBlocks(schema.getSelfClosingElements()), cdata: function (text) { diff --git a/thirdparty/tinymce/tinymce.min.js b/thirdparty/tinymce/tinymce.min.js index e9681abaa..fa6fbbf11 100644 --- a/thirdparty/tinymce/tinymce.min.js +++ b/thirdparty/tinymce/tinymce.min.js @@ -1,2 +1,2 @@ // 4.9.11 (2020-07-13) -!function(V){"use strict";var o=function(){},H=function(n,r){return function(){for(var e=[],t=0;t+~]|"+at+")"+at+"*"),mt=new RegExp("="+at+"*([^\\]'\"]*?)"+at+"*\\]","g"),gt=new RegExp(ct),pt=new RegExp("^"+ut+"$"),ht={ID:new RegExp("^#("+ut+")"),CLASS:new RegExp("^\\.("+ut+")"),TAG:new RegExp("^("+ut+"|[*])"),ATTR:new RegExp("^"+st),PSEUDO:new RegExp("^"+ct),CHILD:new RegExp("^:(only|first|last|nth|nth-last)-(child|of-type)(?:\\("+at+"*(even|odd|(([+-]|)(\\d*)n|)"+at+"*(?:([+-]|)"+at+"*(\\d+)|))"+at+"*\\)|)","i"),bool:new RegExp("^(?:checked|selected|async|autofocus|autoplay|controls|defer|disabled|hidden|ismap|loop|multiple|open|readonly|required|scoped)$","i"),needsContext:new RegExp("^"+at+"*[>+~]|:(even|odd|eq|gt|lt|nth|first|last)(?:\\("+at+"*((?:-\\d)?\\d*)"+at+"*\\)|)(?=[^-]|$)","i")},vt=/^(?:input|select|textarea|button)$/i,yt=/^h\d$/i,bt=/^[^{]+\{\s*\[native \w/,Ct=/^(?:#([\w-]+)|(\w+)|\.([\w-]+))$/,xt=/[+~]/,wt=/'|\\/g,Nt=new RegExp("\\\\([\\da-f]{1,6}"+at+"?|("+at+")|.)","ig"),Et=function(e,t,n){var r="0x"+t-65536;return r!=r||n?t:r<0?String.fromCharCode(r+65536):String.fromCharCode(r>>10|55296,1023&r|56320)};try{rt.apply(et=ot.call($e.childNodes),$e.childNodes),et[$e.childNodes.length].nodeType}catch(iE){rt={apply:et.length?function(e,t){nt.apply(e,ot.call(t))}:function(e,t){for(var n=e.length,r=0;e[n++]=t[r++];);e.length=n-1}}}var St=function(e,t,n,r){var o,i,a,u,s,c,l,f,d,m;if((t?t.ownerDocument||t:$e)!==Me&&Fe(t),n=n||[],!e||"string"!=typeof e)return n;if(1!==(u=(t=t||Me).nodeType)&&9!==u)return[];if(Ue&&!r){if(o=Ct.exec(e))if(a=o[1]){if(9===u){if(!(i=t.getElementById(a))||!i.parentNode)return n;if(i.id===a)return n.push(i),n}else if(t.ownerDocument&&(i=t.ownerDocument.getElementById(a))&&He(t,i)&&i.id===a)return n.push(i),n}else{if(o[2])return rt.apply(n,t.getElementsByTagName(e)),n;if((a=o[3])&&ke.getElementsByClassName)return rt.apply(n,t.getElementsByClassName(a)),n}if(ke.qsa&&(!je||!je.test(e))){if(f=l=qe,d=t,m=9===u&&e,1===u&&"object"!==t.nodeName.toLowerCase()){for(c=De(e),(l=t.getAttribute("id"))?f=l.replace(wt,"\\$&"):t.setAttribute("id",f),f="[id='"+f+"'] ",s=c.length;s--;)c[s]=f+Pt(c[s]);d=xt.test(e)&&Ot(t.parentNode)||t,m=c.join(",")}if(m)try{return rt.apply(n,d.querySelectorAll(m)),n}catch(g){}finally{l||t.removeAttribute("id")}}}return Be(e.replace(lt,"$1"),t,n,r)};function Tt(){var r=[];return function e(t,n){return r.push(t+" ")>_e.cacheLength&&delete e[r.shift()],e[t+" "]=n}}function kt(e){return e[qe]=!0,e}function _t(e,t){var n=t&&e,r=n&&1===e.nodeType&&1===t.nodeType&&(~t.sourceIndex||1<<31)-(~e.sourceIndex||1<<31);if(r)return r;if(n)for(;n=n.nextSibling;)if(n===t)return-1;return e?1:-1}function At(t){return function(e){return"input"===e.nodeName.toLowerCase()&&e.type===t}}function Rt(n){return function(e){var t=e.nodeName.toLowerCase();return("input"===t||"button"===t)&&e.type===n}}function Dt(a){return kt(function(i){return i=+i,kt(function(e,t){for(var n,r=a([],e.length,i),o=r.length;o--;)e[n=r[o]]&&(e[n]=!(t[n]=e[n]))})})}function Ot(e){return e&&typeof e.getElementsByTagName!==Qe&&e}for(Te in ke=St.support={},Re=St.isXML=function(e){var t=e&&(e.ownerDocument||e).documentElement;return!!t&&"HTML"!==t.nodeName},Fe=St.setDocument=function(e){var t,s=e?e.ownerDocument||e:$e,n=s.defaultView;return s!==Me&&9===s.nodeType&&s.documentElement?(ze=(Me=s).documentElement,Ue=!Re(s),n&&n!==function(e){try{return e.top}catch(t){}return null}(n)&&(n.addEventListener?n.addEventListener("unload",function(){Fe()},!1):n.attachEvent&&n.attachEvent("onunload",function(){Fe()})),ke.attributes=!0,ke.getElementsByTagName=!0,ke.getElementsByClassName=bt.test(s.getElementsByClassName),ke.getById=!0,_e.find.ID=function(e,t){if(typeof t.getElementById!==Qe&&Ue){var n=t.getElementById(e);return n&&n.parentNode?[n]:[]}},_e.filter.ID=function(e){var t=e.replace(Nt,Et);return function(e){return e.getAttribute("id")===t}},_e.find.TAG=ke.getElementsByTagName?function(e,t){if(typeof t.getElementsByTagName!==Qe)return t.getElementsByTagName(e)}:function(e,t){var n,r=[],o=0,i=t.getElementsByTagName(e);if("*"===e){for(;n=i[o++];)1===n.nodeType&&r.push(n);return r}return i},_e.find.CLASS=ke.getElementsByClassName&&function(e,t){if(Ue)return t.getElementsByClassName(e)},Ve=[],je=[],ke.disconnectedMatch=!0,je=je.length&&new RegExp(je.join("|")),Ve=Ve.length&&new RegExp(Ve.join("|")),t=bt.test(ze.compareDocumentPosition),He=t||bt.test(ze.contains)?function(e,t){var n=9===e.nodeType?e.documentElement:e,r=t&&t.parentNode;return e===r||!(!r||1!==r.nodeType||!(n.contains?n.contains(r):e.compareDocumentPosition&&16&e.compareDocumentPosition(r)))}:function(e,t){if(t)for(;t=t.parentNode;)if(t===e)return!0;return!1},Je=t?function(e,t){if(e===t)return Le=!0,0;var n=!e.compareDocumentPosition-!t.compareDocumentPosition;return n||(1&(n=(e.ownerDocument||e)===(t.ownerDocument||t)?e.compareDocumentPosition(t):1)||!ke.sortDetached&&t.compareDocumentPosition(e)===n?e===s||e.ownerDocument===$e&&He($e,e)?-1:t===s||t.ownerDocument===$e&&He($e,t)?1:Ie?it.call(Ie,e)-it.call(Ie,t):0:4&n?-1:1)}:function(e,t){if(e===t)return Le=!0,0;var n,r=0,o=e.parentNode,i=t.parentNode,a=[e],u=[t];if(!o||!i)return e===s?-1:t===s?1:o?-1:i?1:Ie?it.call(Ie,e)-it.call(Ie,t):0;if(o===i)return _t(e,t);for(n=e;n=n.parentNode;)a.unshift(n);for(n=t;n=n.parentNode;)u.unshift(n);for(;a[r]===u[r];)r++;return r?_t(a[r],u[r]):a[r]===$e?-1:u[r]===$e?1:0},s):Me},St.matches=function(e,t){return St(e,null,null,t)},St.matchesSelector=function(e,t){if((e.ownerDocument||e)!==Me&&Fe(e),t=t.replace(mt,"='$1']"),ke.matchesSelector&&Ue&&(!Ve||!Ve.test(t))&&(!je||!je.test(t)))try{var n=(void 0).call(e,t);if(n||ke.disconnectedMatch||e.document&&11!==e.document.nodeType)return n}catch(iE){}return 0":{dir:"parentNode",first:!0}," ":{dir:"parentNode"},"+":{dir:"previousSibling",first:!0},"~":{dir:"previousSibling"}},preFilter:{ATTR:function(e){return e[1]=e[1].replace(Nt,Et),e[3]=(e[3]||e[4]||e[5]||"").replace(Nt,Et),"~="===e[2]&&(e[3]=" "+e[3]+" "),e.slice(0,4)},CHILD:function(e){return e[1]=e[1].toLowerCase(),"nth"===e[1].slice(0,3)?(e[3]||St.error(e[0]),e[4]=+(e[4]?e[5]+(e[6]||1):2*("even"===e[3]||"odd"===e[3])),e[5]=+(e[7]+e[8]||"odd"===e[3])):e[3]&&St.error(e[0]),e},PSEUDO:function(e){var t,n=!e[6]&&e[2];return ht.CHILD.test(e[0])?null:(e[3]?e[2]=e[4]||e[5]||"":n&>.test(n)&&(t=De(n,!0))&&(t=n.indexOf(")",n.length-t)-n.length)&&(e[0]=e[0].slice(0,t),e[2]=n.slice(0,t)),e.slice(0,3))}},filter:{TAG:function(e){var t=e.replace(Nt,Et).toLowerCase();return"*"===e?function(){return!0}:function(e){return e.nodeName&&e.nodeName.toLowerCase()===t}},CLASS:function(e){var t=Xe[e+" "];return t||(t=new RegExp("(^|"+at+")"+e+"("+at+"|$)"))&&Xe(e,function(e){return t.test("string"==typeof e.className&&e.className||typeof e.getAttribute!==Qe&&e.getAttribute("class")||"")})},ATTR:function(n,r,o){return function(e){var t=St.attr(e,n);return null==t?"!="===r:!r||(t+="","="===r?t===o:"!="===r?t!==o:"^="===r?o&&0===t.indexOf(o):"*="===r?o&&-1)[^>]*$|#([\w\-]*)$)/,Zt=Se.Event,en=Xt.makeMap("children,contents,next,prev"),tn=function(e){return void 0!==e},nn=function(e){return"string"==typeof e},rn=function(e,t){var n,r,o;for(o=(t=t||Yt).createElement("div"),n=t.createDocumentFragment(),o.innerHTML=e;r=o.firstChild;)n.appendChild(r);return n},on=function(e,t,n,r){var o;if(nn(t))t=rn(t,bn(e[0]));else if(t.length&&!t.nodeType){if(t=gn.makeArray(t),r)for(o=t.length-1;0<=o;o--)on(e,t[o],n,r);else for(o=0;o"===e.charAt(e.length-1)&&3<=e.length?[null,e,null]:Qt.exec(e)))return gn(t).find(e);if(n[1])for(r=rn(e,bn(t)).firstChild;r;)Gt.call(o,r),r=r.nextSibling;else{if(!(r=bn(t).getElementById(n[2])))return o;if(r.id!==n[2])return o.find(e);o.length=1,o[0]=r}}else this.add(e,!1);return o},toArray:function(){return Xt.toArray(this)},add:function(e,t){var n,r,o=this;if(nn(e))return o.add(gn(e));if(!1!==t)for(n=gn.unique(o.toArray().concat(gn.makeArray(e))),o.length=n.length,r=0;r=a.length&&r(o)}))})})},co=function(e){return so(e,uo.nu)},lo=function(n){return{is:function(e){return n===e},isValue:C,isError:b,getOr:q(n),getOrThunk:q(n),getOrDie:q(n),or:function(e){return lo(n)},orThunk:function(e){return lo(n)},fold:function(e,t){return t(n)},map:function(e){return lo(e(n))},mapError:function(e){return lo(n)},each:function(e){e(n)},bind:function(e){return e(n)},exists:function(e){return e(n)},forall:function(e){return e(n)},toOption:function(){return _.some(n)}}},fo=function(n){return{is:b,isValue:b,isError:C,getOr:$,getOrThunk:function(e){return e()},getOrDie:function(){return e=String(n),function(){throw new Error(e)}();var e},or:function(e){return e},orThunk:function(e){return e()},fold:function(e,t){return e(n)},map:function(e){return fo(n)},mapError:function(e){return fo(e(n))},each:o,bind:function(e){return fo(n)},exists:b,forall:C,toOption:_.none}},mo={value:lo,error:fo,fromOption:function(e,t){return e.fold(function(){return fo(t)},lo)}};function go(e,u){var t=e,n=function(e,t,n,r){var o,i;if(e){if(!r&&e[t])return e[t];if(e!==u){if(o=e[n])return o;for(i=e.parentNode;i&&i!==u;i=i.parentNode)if(o=i[n])return o}}};this.current=function(){return t},this.next=function(e){return t=n(t,"firstChild","nextSibling",e)},this.prev=function(e){return t=n(t,"lastChild","previousSibling",e)},this.prev2=function(e){return t=function(e,t,n,r){var o,i,a;if(e){if(o=e[n],u&&o===u)return;if(o){if(!r)for(a=o[t];a;a=a[t])if(!a[t])return a;return o}if((i=e.parentNode)&&i!==u)return i}}(t,"lastChild","previousSibling",e)}}var po,ho,vo,yo=function(t){var n;return function(e){return(n=n||function(e,t){for(var n={},r=0,o=e.length;r\"\u0060\u007E-\uD7FF\uE000-\uFFEF]|[\uD800-\uDBFF][\uDC00-\uDFFF]/g,Ko=/[<>&\u007E-\uD7FF\uE000-\uFFEF]|[\uD800-\uDBFF][\uDC00-\uDFFF]/g,Xo=/[<>&\"\']/g,Yo=/&#([a-z0-9]+);?|&([a-z0-9]+);/gi,Go={128:"\u20ac",130:"\u201a",131:"\u0192",132:"\u201e",133:"\u2026",134:"\u2020",135:"\u2021",136:"\u02c6",137:"\u2030",138:"\u0160",139:"\u2039",140:"\u0152",142:"\u017d",145:"\u2018",146:"\u2019",147:"\u201c",148:"\u201d",149:"\u2022",150:"\u2013",151:"\u2014",152:"\u02dc",153:"\u2122",154:"\u0161",155:"\u203a",156:"\u0153",158:"\u017e",159:"\u0178"};ho={'"':""","'":"'","<":"<",">":">","&":"&","`":"`"},vo={"<":"<",">":">","&":"&",""":'"',"'":"'"};var Jo=function(e,t){var n,r,o,i={};if(e){for(e=e.split(","),t=t||10,n=0;n>10),56320+(1023&t))):Go[t]||String.fromCharCode(t):vo[e]||po[e]||(n=e,(r=ar.fromTag("div").dom()).innerHTML=n,r.textContent||r.innerText||n);var n,r})}},ni={},ri={},oi=Xt.makeMap,ii=Xt.each,ai=Xt.extend,ui=Xt.explode,si=Xt.inArray,ci=function(e,t){return(e=Xt.trim(e))?e.split(t||" "):[]},li=function(e){var u,t,n,r,o,i,s={},a=function(e,t,n){var r,o,i,a=function(e,t){var n,r,o={};for(n=0,r=e.length;n