2.9.4

2.9.4

Added

• Enhanced Image Upload Dialog — redesigned the image insert dialog with a prominent visual upload area for a clearer and more modern upload experience
• Click-to-Select Upload Area — clicking anywhere in the upload zone now opens the native file picker
• Drag & Drop Image Uploads — images can now be dragged directly into the upload area
• Selected File Feedback — the upload dialog now displays feedback when a file has been selected
• Responsive upload-zone styling optimized for compact mobile and touch-friendly interaction

Fixed

• Floating Toolbar Scroll Offset — fixed incorrect positioning of the floating selection toolbar when the page is scrolled while using a sticky editor toolbar
• Autosave Regex Hardening — reworked autosave storage key normalization to avoid a polynomial regular expression on uncontrolled input
• Removed selector-string URL escaping when applying target="_blank" to selected links

Improved

• Reworked HTML sanitization parsing to avoid DOMParser.parseFromString while preserving the existing sanitization allowlist behavior
• Improved upload dialog usability across desktop and mobile devices

Security

• Reduced ReDoS risk in autosave key normalization logic
• Hardened sanitization internals while maintaining existing HTML allowlist behavior
• Further reduced attack surface identified by static analysis and security scanning

Changed

• License changed from MIT to GNU Affero General Public License v3 (AGPL-3.0)

Full Changelog: 2.9.3...2.9.4