config array be set with safe origins or otherwise reject `postMessage`
messages in case from untrusted sources
- Security fix/Breaking change (xdomain): Namespace xdomain file to avoid
it being used to modify non-xdomain storage
- Security fix (Imagelib): Expose `dropXMLInternalSubset` to extensions
for preventing billion laughs attack (and use in Imagelib)
setting (though this was only for trusted origins anyways)
- Security fix (minor): For embedded API example, copy params to iframe
source without XSS risk (though params should already be XML-safe
given `encodeURIComponent` and lack of a single quote attribute context)
- Linting (LGTM): Flag origin-checked item as safe
- Refactoring: Destructuring, ellipsis
- Docs (JSDoc): Missing return value
- Fix: Ensure all apostrophes are escaped for `toXml` utility
- Fix: Avoid error if `URL` is not defined
- Fix (jPicker): Precision argument had not been passed in previously
- Fix (Star extension): Minor: Avoid erring if `inradius` is `NaN`
- Refactoring: Avoid passing unused arguments, setting unused variables,
and making unnecessary checks; avoid useless call to `createSVGMatrix`
- Linting (LGTM): Add `lgtm.yml` file (still some remaining items flagged
but hoping for in-code flagging)
- Docs: Contributing file
- Breaking change (minor): Change export filename to check `exportWindowName` and change default from `download.pdf` to `svg.pdf` to distinguish from other downloads
- Enhancement: Restore old dataURI functionality for non-Chrome browsers
- Fix (i18n): Regression in last commit with locales and apostrophe values
- npm: Avoid adding config files to ignore file
- npm: Bump to 3.0.0-rc.2
- Build: Update build
Incorporates #147
- Fix: Ensure shift-key cycling through flyouts works with extension-added
`includeWith` as well as toolbarbuttons
- Fix: Apply flyout arrows after extensions callback
- Fix: Ensure SVG icon of flyout right-arrow is cloned to can be applied to
more than one extension
- Fix: Ensure line tool shows as selected when "L" key command is used
- Refactoring: Avoid passing on `undefined` var. (#147)
- Refactoring: lbs; avoid indent in connector, destructuring, use map over push
- Docs: Clarify nature of fixes
- Docs: JSDoc for `setupFlyouts`, `Actions`, `toggleSidePanel`; missing for
ToolbarButton
- Fix (Embedded editor): Ensure adding allowedOrigins for embedded response
- Enhancement (Embedded editor): Log if an origin is not whitelisted as sender/receiver
- Demo: Point to raw.githack for proper content-type setting and apparent CORS support; also add `xdomain-svg-editor-es.html` to set origin config and work on Git-based server
