New Feature

• A searchUrl and searchHeaders option has been added to the imageGallery, videoGallery, audioGallery, fileGallery, and fileBrowser plugins for server-side search. #1651
• A scriptSrcWhitelist option has been added to the embed plugin to allow <script src> in raw HTML embeds via an explicit allowlist. #1649

Bugfix

• Fixed a bug where Figure menu actions (alignment, block-inline toggle, preset resize) did not fire onChange. #1644
• Fixed a bug where tagStyles entries were ignored when the tag was also matched by a category default (@text or @line)
• Fixed an issue in the embed plugin where the raw HTML path did not validate iframe src against the URL allowlist, allowing arbitrary iframe URLs to bypass sanitization. #1649

Breaking Changes

• Removed spanStyles / lineStyles options — unified into tagStyles via the category sentinel keys @text / @line. An explicit tag entry always wins over the category default (e.g. tagStyles.div is used even though div is a line element — @line is ignored for div).
  • Migration:

    // Before
    { spanStyles: 'color|font-size', lineStyles: 'text-align|margin', tagStyles: { div: 'color' } }
    
    // After
    { tagStyles: { '@text': 'color|font-size', '@line': 'text-align|margin', div: 'color' } }

• embed plugin: <script> tags in raw HTML embeds are now rejected by default — add trusted patterns to scriptSrcWhitelist to allow them. #1649
  • Migration: for Twitter blockquote and similar embeds that require an external script, configure pluginOptions.embed.scriptSrcWhitelist: [/^https:\/\/platform\.twitter\.com\/widgets\.js$/]
• embed plugin: iframe src in raw HTML embeds is now validated against the registered URL patterns (embedQuery); non-matching URLs are rejected. #1649
• Browser module (modules/contract/Browser): renamed params.searchUrlHeader → params.searchHeaders, internal field urlHeader → headers. Custom browser plugins that import Browser directly must update the option name and field reference. #1651

Enhancement

• Support Popover API for floating UI elements (dialogs, dropdowns, controllers) to render above browser top-layer contexts such as Angular CDK Overlay. #1639

• Added stable id and autocomplete="off" to generated form fields to suppress Chrome form diagnostics. #1640

• Marked decorative line-number textareas as aria-hidden and removed from tab order

Bugfix

• Fixed a bug where page height calculation did not restart after a page break in document type mode
• Fixed a bug where anchor wrappers were lost when changing image format between inline and block styles. #1636

Breaking Changes

• Minimum supported Firefox version changed from 121 to 125 (required for Popover API)

Enhancement

• Updated design border-radius values

Bugfix

• Fixed a bug where textDirection, _editableClass, and printClass options were not synchronized when switching to RTL via setDir()
• Fixed a bug where toolbar button order was not reversed when switching to RTL via setDir()
• Fixed a bug where shortcut tooltips were added as duplicates
• Fixed a bug where tooltips in se-toolbar-bottom toolbar did not appear above the toolbar
• Fixed RTL mode issues including missing wysiwyg dir attribute, arrow key component detection, bidi edge correction for Enter/Backspace/Delete, empty line Backspace component selection, and modal input direction. #1631

Bugfix

• Fixed a bug where toolbar dropdown menus appeared before the viewport settled on mobile, causing visible repositioning when the keyboard dismissed.
• Fixed a bug where the Enter key edge detection was inaccurate inside format lines — offset-based check now works regardless of sibling nodes.

[LEGACY] Release v2.47.10

🔒 This release includes a critical security patch regarding an XSS vulnerability.

Security Fixes (v2.47.9)

• Fixed Critical XSS Vulnerability (Sanitizer Bypass)
  • Addressed an issue where the content sanitizer could be bypassed, potentially allowing stored/reflected XSS.
  • Resolves [#1604].
  • Special thanks to @nlgbao1340 for the responsible disclosure.

Bugfix (v2.47.10)

• Fixed a bug where only the last image was inserted during multi-image uploads. [#1584]

⚠️ Breaking Changes

• The mention plugin has been replaced with a generic autocomplete plugin. Option key renamed from mention to autocomplete, per-trigger settings are now configured via the triggers object. [#713]

Enhancement

• Improve MS Office HTML paste conversion (src/helper/msOffice.js). [#591]

Bugfix

• Fixed a bug where the toolbar was hidden on keypress in balloonAlways / subBalloonAlways mode.
• Fixed a bug where theme classes were included in print output, breaking print styles.
• Fixed a bug where switching folders in the file browser did not refresh the item list and tags, causing search and tag filters to operate on stale data.
• Fixed a bug where menu buttons in layout and template dropdown plugins were missing the data-command attribute, preventing click and keyboard selection from working. [#1627] (@kudlatyamroth)
• Fixed a bug where iframe mode did not work in Firefox — the sandboxed iframe's load event fired twice, clearing content and leaving buttons unresponsive. [#1626] (@kudlatyamroth)

Changes

• Default delayTime for the mention plugin changed from 200 to 120
• The toolbar selectAll button now selects the entire editor content immediately instead of stepping through scopes (keyboard Ctrl+A still uses scope stepping)

Enhancement

• Improved browser search to query all folders instead of only the currently selected folder
• Added keyword highlighting to sbrowser search results for matching file names
• Added a clear button to the browser search form to reset the search
• An expand option has been added to the file browser to control initial folder expand depth (default: 1)

Bugfix

• Fixed a bug where switching folders in the file browser did not update the item list and tags, causing search and tag filters to operate on stale data

Bugfix

• Fixed a bug where using the Full Screen plugin without the Code View plugin caused a null.style reference error. #1621 (@SIMHANSOL)
• Fixed a bug where clicking plugin buttons inside a <form> element triggered form submission. #1622 (@SIMHANSOL)
• Fixed a bug where consecutive media components (image, video) were merged without line breaks during markdown conversion.
• Fixed a bug where the toolbar did not appear when focusing directly on a <pre> element in inline mode.
• Fixed a bug where video rendering failed when switching back from markdown view.

New Feature

• A wordCounter option has been added — displays word count separately in the status bar
• A wordCounter_label option has been added — sets the label text for the word counter
• editor.$.char.getWordCount() API added — returns the word count of the current editor or specified text

Enhancement

• Updated status bar counter layout: word count (left) | character count (right), automatically reversed in RTL

New Feature

• toolbar_sticky option now accepts { top, offset } object for separate desktop/mobile virtual keyboard positioning

Bugfix

• Fix sticky toolbar not adjusting for mobile virtual keyboard
• Fix balloon toolbar not showing on touch devices when selecting text
• Fix sticky toolbar shifting down when virtual keyboard opens inside a scrollable container (e.g., modal)
• Fix mobile not scrolling to cursor when virtual keyboard reopens after toolbar menu interaction
• Fix Enter key not scrolling to cursor on mobile in fixed-height editor with scroll parents