Skip to content

2.9.3

Choose a tag to compare

View all tags
@neikiri neikiri released this 17 May 08:53
· 21 commits to main since this release
2.9.3
e2953f8

2.9.3

Added

  • New autosaveKey configuration option for custom autosave draft scoping
  • Support for data-neiki-autosave-key attribute to isolate autosave data between editors
  • Extended autosave documentation with guidance for:
    • multiple editors on the same page
    • same-URL edit screens
    • custom autosave scopes

Fixed

  • Autosave Storage Collisions — autosave drafts are now scoped per page URL and editor identity to prevent editors from overwriting each other’s data
  • Unsafe Modal Interpolation — escaped user-controlled values in link/image dialogs to prevent unsafe HTML injection
  • Inserted Image Attribute Escaping — image attributes are now safely escaped before insertion into editor HTML
  • Prototype Pollution Protection — translation/config merging now blocks dangerous keys such as __proto__, prototype, and constructor
  • Removed unused internal variables reported by static analysis in:
    • image upload handling
    • find/replace logic
    • image resize code

Improved

  • Hardened HTML sanitization when restoring editor content from:
    • autosave drafts
    • textarea/source HTML
    • public HTML insertion APIs

Security

  • Improved defense against XSS vectors during autosave restoration and HTML insertion
  • Added safeguards against prototype pollution attacks during deep object merging
  • Reduced attack surface identified by GitHub Code Scanning / static analysis

Full Changelog: 2.9.2...2.9.3

Assets 2
Loading