3.0.3

3.0.3

Fixed

• Empty Editor Content Handling — fixed empty editor submissions returning <p><br></p> instead of a blank value
• getContent() now returns an empty string when the editor contains only the default empty block inserted by the browser

Full Changelog: 3.0.2...3.0.3

3.0.2

3.0.2

Added

• Added missing i18n translation keys for:
  • Insert Video toolbar item
  • dropdown menu item
  • modal labels
  • upload states
  • validation messages
• Translation coverage updated across all built-in languages

Fixed

• Blockquote Toggle Handling — fixed blockquote toggling when the quote contains nested <p> elements
• Active <blockquote> containers are now correctly unwrapped instead of formatting the inner paragraph
• Fixed inconsistent quote removal behavior in nested paragraph structures

Improved

• Hid the left-side block drag grip on touch and coarse-pointer devices
• Touch/mobile users now rely on the existing move up/down toolbar controls for more precise block repositioning
• Improved touch-device editing experience by reducing accidental drag interactions

Full Changelog: 3.0.1...3.0.2

3.0.1

3.0.1

Fixed

• HTML Code View Regex Risk — fixed a polynomial regular expression vulnerability in HTML code view formatting
• Replaced the regex-based tokenizer with a deterministic linear scan implementation

Improved

• Improved performance and stability when formatting large or malformed HTML content
• Simplified internal HTML formatting logic for safer processing behavior

Security

• Reduced ReDoS (Regular Expression Denial of Service) attack surface in HTML code view processing
• Eliminated expensive regex backtracking behavior during HTML formatting

Full Changelog: 3.0.0...3.0.1

3.0.0

3.0.0

Added

• New Built-in Themes — added two new editor themes:
  • blue
  • dark-blue
• Video Embedding Support — added Insert > Video with:
  • URL input
  • file upload modal
  • base64 embedding support
  • optional videoUploadHandler integration
• Video Editing Toolbar — selected videos now support:
  • resize
  • reposition
  • replace
  • delete actions
• Drag & Drop Video Uploads — video files can now be inserted directly via drag and drop
• Drag & Drop Text Reordering — selected text can now be dragged and repositioned inside the editor
• Shared Drop Indicator — added a caret-style drop indicator for dragged:
  • text
  • images
  • videos
• Added sanitizer support for editor-generated <video> and <source> elements

Fixed

• Editor Grip SVG Injection — fixed rare cases where editor drag-handle SVGs could accidentally be inserted into document content
• Moved editor block grips outside editable content areas
• Stripped editor UI elements from dragged fragments before insertion
• Prevented native blue browser selection highlights on selected images/videos and their media toolbar

Improved

• Replaced the old Toggle Theme action with a translated Change theme select for choosing a specific built-in theme
• Updated drag handle icon styling
• Improved HTML code view with:
  • formatted multi-line HTML output
  • syntax highlighting support
• Updated README and wiki documentation for:
  • themes
  • video insertion
  • upload configuration

Security

• Improved sanitizer handling for embedded media content
• Prevented internal editor UI artifacts from leaking into saved document HTML

Full Changelog: 2.10.1...3.0.0

2.10.1

2.10.1

Fixed

• HTML Sanitizer XSS Vulnerability — fixed a cross-site scripting (XSS) vulnerability in the sanitizer's entity decoding logic
• Replaced innerHTML-based entity decoding with a safe regex-based implementation that never parses HTML
• Added safe support for:
  • named entities such as &, <, >, ", ', and  
  • numeric entities like {
  • hexadecimal entities like 💩

Security

• Eliminated HTML parsing during entity decoding to reduce XSS attack surface
• Hardened sanitizer internals against malicious entity-based payloads

Full Changelog: 2.10.0...2.10.1

2.10.0

2.10.0

Added

• Code Formatting Toolbar Button — added a new code toolbar action with smart formatting behavior:
  • single-line selections are wrapped in inline <code>
  • multi-line selections create a <pre><code> code block
  • clicking again toggles/removes existing code formatting
• The code button is now included in the default toolbar between subscript and removeFormat
• Added toolbar.code translation key to all 8 built-in languages:
  • English (en)
  • Czech (cs)
  • Chinese (zh)
  • Spanish (es)
  • German (de)
  • French (fr)
  • Portuguese (pt)
  • Japanese (ja)

Fixed

• List Toggle Paragraph Wrapping — fixed text not being properly wrapped in <p> elements after disabling Bullet List or Numbered List formatting
• Consecutive inline/text nodes are now grouped into a single paragraph instead of generating multiple fragmented <p> elements
• HTML Entity Decoding — fixed HTML entities such as & being displayed as literal text instead of decoded characters

Improved

• Renamed custom_class config option to customClass for consistency with the editor’s camelCase API style
• Backward compatibility is preserved — the legacy custom_class option still works

Full Changelog: 2.9.5...2.10.0

2.9.5

2.9.5

Added

• Custom Content Class — new custom_class config option appends a custom CSS class to the editor content area alongside the default neiki-content class, making it easier to apply custom styles without overriding defaults

Fixed

• Image Inline Display — set display: inline-block on .neiki-content img to avoid layout conflicts with CSS resets that set images to display: block

Improved

• Updated documentation (README, wiki) with custom_class configuration instructions and examples

Full Changelog: 2.9.4...2.9.5

2.9.4

2.9.4

Added

• Enhanced Image Upload Dialog — redesigned the image insert dialog with a prominent visual upload area for a clearer and more modern upload experience
• Click-to-Select Upload Area — clicking anywhere in the upload zone now opens the native file picker
• Drag & Drop Image Uploads — images can now be dragged directly into the upload area
• Selected File Feedback — the upload dialog now displays feedback when a file has been selected
• Responsive upload-zone styling optimized for compact mobile and touch-friendly interaction

Fixed

• Floating Toolbar Scroll Offset — fixed incorrect positioning of the floating selection toolbar when the page is scrolled while using a sticky editor toolbar
• Autosave Regex Hardening — reworked autosave storage key normalization to avoid a polynomial regular expression on uncontrolled input
• Removed selector-string URL escaping when applying target="_blank" to selected links

Improved

• Reworked HTML sanitization parsing to avoid DOMParser.parseFromString while preserving the existing sanitization allowlist behavior
• Improved upload dialog usability across desktop and mobile devices

Security

• Reduced ReDoS risk in autosave key normalization logic
• Hardened sanitization internals while maintaining existing HTML allowlist behavior
• Further reduced attack surface identified by static analysis and security scanning

Changed

• License changed from MIT to GNU Affero General Public License v3 (AGPL-3.0)

Full Changelog: 2.9.3...2.9.4

2.9.3

2.9.3

Added

• New autosaveKey configuration option for custom autosave draft scoping
• Support for data-neiki-autosave-key attribute to isolate autosave data between editors
• Extended autosave documentation with guidance for:
  • multiple editors on the same page
  • same-URL edit screens
  • custom autosave scopes

Fixed

• Autosave Storage Collisions — autosave drafts are now scoped per page URL and editor identity to prevent editors from overwriting each other’s data
• Unsafe Modal Interpolation — escaped user-controlled values in link/image dialogs to prevent unsafe HTML injection
• Inserted Image Attribute Escaping — image attributes are now safely escaped before insertion into editor HTML
• Prototype Pollution Protection — translation/config merging now blocks dangerous keys such as __proto__, prototype, and constructor
• Removed unused internal variables reported by static analysis in:
  • image upload handling
  • find/replace logic
  • image resize code

Improved

• Hardened HTML sanitization when restoring editor content from:
  • autosave drafts
  • textarea/source HTML
  • public HTML insertion APIs

Security

• Improved defense against XSS vectors during autosave restoration and HTML insertion
• Added safeguards against prototype pollution attacks during deep object merging
• Reduced attack surface identified by GitHub Code Scanning / static analysis

Full Changelog: 2.9.2...2.9.3

2.9.2

2.9.2

Added

• Drag to Reposition Images — click and hold an image (or use the grip handle) to drag and drop it anywhere in the editor, including between words (inline caret placement)
• Image-Specific Toolbar — selecting an image now shows a contextual toolbar with Drag handle, Move Block Up/Down, Replace Image, and Delete actions
• Replace Image action — quickly swap a selected image via file picker (supports both base64 and imageUploadHandler)
• Sticky Toolbar — when the editor has no maxHeight (page-flow mode), the toolbar uses position: sticky to remain visible while scrolling
• Touch/Mobile Image Drag & Drop — images can be repositioned on touch devices using the grip handle in the image toolbar
• New translation keys for all 8 languages: imageToolbar.replaceImage, imageToolbar.deleteImage, imageToolbar.dragToMove

Fixed

• Image Toolbar Positioning — toolbar now automatically shows below the image when near the top of the editor, preventing overlap with the main toolbar
• Blockquote Toggle — the blockquote button now properly toggles on/off; clicking again removes the formatting
• Font Size Selection Preservation — selection is now tracked continuously via selectionchange; changing font size via +/− buttons or presets no longer jumps to unrelated text
• Image Resize Styles on Form Submission — resized image dimensions (inline width/height) are now correctly synced and preserved after form submission
• File Upload Button Alignment — the native upload button inside modals is now vertically centered on all devices
• Image Toolbar Overflow on Mobile — toolbar buttons now stay within the viewport on small screens

Improved

• Floating selection toolbar is automatically hidden when an image is selected (image toolbar takes over)
• Blockquote button now shows active state when the cursor is inside a blockquote
• Modal responsiveness on mobile — proper max-height, scrollable body, stacked form rows, and iOS zoom prevention on input focus

Thanks to @ifeiwu for reporting several of these issues! 🙌

Full Changelog: 2.9.1...2.9.2