1e2e6529d2
Critical privacy/data integrity fix: Move cross-domain capable message listener into own extension (ext-xdomain-messaging.js) and do not include by default (the extension now won't work anyways without an allowedOrigins config first being set (in config.js) for security reasons (and not via URL)); add allowedOrigins config and demo use in config-sample.js; JSLint; update embedapi.html to supply the xdomain extension in case running xdomain (again, allowedOrigins must be supplied in the local copy of config.js for this to work); modify embedapi.js to allow reuse of cross-domain API with same-domain usage, but without the intermediate JSON parsing which could lose some non-JSONable arguments or response.
Brett Zamir
2014-02-22 04:08:24 +00:00
bb75f34ec3
Require extensions to begin with "ext-" and end with ".js" to prevent URL-prompted loading of other files within the extPath.
Brett Zamir
2014-02-19 05:26:46 +00:00
9129d652e4
Add storage strings to other locales
Brett Zamir
2014-02-19 04:33:21 +00:00
dc1bf5d88c
Safer encoding of cookies; ensure emptyStorageOnDecline only works with explicit decline (and as before, with config so set); add cookie removal to emptyStorageOnDecline behavior
Brett Zamir
2014-02-19 01:37:21 +00:00
51dcf01415
Minor: Avoid internal use of svgEditor, fix comment
Brett Zamir
2014-02-18 23:57:49 +00:00
e463b43220
1. Reference config.js in the editor (and remove encouragement for adding extensions to HTML) but ignore config.js in SVN (let user configure) but supply config-sample.js to indicate config/pref/extension possibilities; 2. Move ext-overview_window.js to default but overridable list of extensions (as with other extensions); 3. Allow extensions to avoid problems if failing to return an object (in svgcanvas.js); 4. Support new langReady callback to ensure extension always called when locale info is ready (and always load locale, even English); 5. Move localStorage storing to a new (i18n-ized and available-by-default) storage extension which adds a dialog asking user for whether to store prefs and/or SVG content; $.pref() now falls back to checking defaultPrefs (which may have been expanded at runtime to include URL or storage settings); use new config "forceStorage" to get old (bad) behavior 6. Remove initial cap from "Editor" to reflect singleton nature of object (as compared to JSLint conventions for initial cap constructors); 7. Begin a little JSDoc, clearer grouping of properties/methods; JSLint/clean-up 8. Omit values for lang and iconsize to be successfully auto-detected; 9. Document "save_notice_done" and "export_notice_done" within list of prefs; document "showlayers" and "no_save_warning" as config 10. Add "preventAllURLConfig" and "preventURLContentLoading" config for URL security; 11. Add "lockExtensions" and "noDefaultExtensions" config for URL behavior re: extension loading 12. Document "showGrid", and new "noStorageOnLoad" and "emptyStorageOnDecline" extension-related config 13. Change setConfig to allow a second object with "overwrite" and "allowInitialUserOverride" properties and to behave accordingly (with URL config acting with overwrite=false to act under lower priority given security concern), along with checking "preventAllURLConfig" and "lockExtensions" config. 14. Remove any dupe extensions 15. Strip all path config from URL setting in addition to extPath (imgPath, langPath, jGraduatePath) 16. Support select+checkbox type dialog (used for storage ext.) 17. Ensure clickSelect is public so can be properly used by ext-connector.js 18. Reinstate 'in' checks just to be safe 19. Fix broken linkControlPoints() and addSubPath() functions 20. Fix problem when position returned by extension object was too high (e.g., if too few other extensions were included).
Brett Zamir
2014-02-18 15:06:27 +00:00
74810573b2
Change group to group_elements (though keep duplicate group under old name in case it is supposed to have a different function)
Brett Zamir
2014-02-11 01:58:57 +00:00
7295eece09
Potentially breaking change: Prevent setting of extPath via URL and prevent setting of cross-domain or cross-folder extensions via URL, i.e., if the extensions string possesses the character ":", "/", or, to be extra safe, "\", (issue #4 of mailing list post "Agenda for resolving security issues"). extPath and extensions can still be meaningfully set freely via setConfig calls, e.g., "svgCanvas.setConfig({extPath: ..., extensions: ...});" if made before Editor.init() is called in svg-editor.js (which is called on a jQuery ready (i.e., DOMContentLoaded) event). To avoid modifying svg-editor.html, one could build an extension which loaded its own scripts as done by the simple extFunc() function in svg-editor.js, but this would occur a little later (Should we export extFunc() for this usage?).
Brett Zamir
2014-02-10 05:33:05 +00:00
bc3f7923e0
Very minor clean-up
Brett Zamir
2014-02-04 04:08:24 +00:00
1181de6847
Minor clean-up; UTF-8 for SVG
Brett Zamir
2014-02-02 01:06:25 +00:00
0e9a7a7766
Avoid URL decoding; remove dead code; add encoding to XML Declaration in php_savefile extension
Brett Zamir
2014-02-01 16:42:46 +00:00
21c946fd99
server_opensave-related changes: 1) Be more lenient in filename possibilities for server_opensave (supporting Unicode except characters disallowed in Windows file names); 2) XHTML escape filename and SVG content when put into HTML hidden input element as opposed to unnecessary URL-encoding; 3) fix base64 encoding (with update to dependent utf8-encoding function)--old base64 code caused SVG to break with surrogate pairs (e.g., in title); 4) provide default UTF-8 encoding in XML declaration and add this XML declaration to the download attribute as well
Brett Zamir
2014-02-01 16:13:51 +00:00
496ee1e875
Possible todo to support server-side saving of exports as well
Brett Zamir
2014-01-31 13:12:52 +00:00
f67b3f3e4f
Change Polish key export_png to export_img (as already changed in other locales); have emailed for confirmation of accuracy of translation, awaiting reply
Brett Zamir
2014-01-31 13:06:43 +00:00
7fc5c51d66
Delete old insecure server-save PHP in favor of a new php-savefile extension which requires addition by user of a configuration page "savefile_config.php" in order to work (and where the user should do their own validation). Add this config file and "saved.svg" (the default name when no filename is supplied) to SVN ignore list.
Brett Zamir
2014-01-31 12:58:16 +00:00
515de36d65
Check for urldata.extPath!
Brett Zamir
2014-01-31 12:22:20 +00:00
c5fbdce9cd
jQuery should already be encoding in a POST data request
Brett Zamir
2014-01-31 11:38:30 +00:00
7c3bc9189f
Minor: single quotes
Brett Zamir
2014-01-31 11:31:41 +00:00
afa427a4a2
Begin JSLint journey
Brett Zamir
2014-01-31 00:27:46 +00:00
6b5a4e645e
change beforeunload to use addEventListener (only supporting IE9 now and better to allow multiple if user wishes); also CamelCase internal variable for consistency; add brackets
Brett Zamir
2014-01-31 00:06:50 +00:00
7a4d8949c7
Changing naming of "method" to "mode" in error (very minor)
Brett Zamir
2014-01-26 11:06:27 +00:00
d666be9bce
- now You can choose polish translation in "Editor options"
Aleksander Lurie
2013-10-29 08:19:13 +00:00
33351a5d61
- full translation
Aleksander Lurie
2013-10-29 08:06:26 +00:00
e17b03a59b
Filter out bad MIME types from fileopen.php and share allowable array with filesave.php
Brett Zamir
2013-10-29 07:26:29 +00:00
395badc387
Avoid duplicate sliders when switching between WEBP and JPEG (thanks adrianbjones for the report!); fix tabs
Brett Zamir
2013-10-29 07:07:09 +00:00
5ff2311348
Making tabbing consistent
Brett Zamir
2013-10-29 06:54:31 +00:00
c3c98033b6
Fix data:image/svg link loading for imagelib extension; fix server_opensave-extension-opened SVG files for older browsers; leverage utilities base 64 encoding in place of btoa also in server_opensave extension
Brett Zamir
2013-10-29 06:33:37 +00:00
a0d485d336
Type sanitization for fileopen.php (no more need for character set/HTML-type concerns on htmlentities)
Brett Zamir
2013-10-29 06:13:33 +00:00
2b35ec344b
Prevent errors in svg-editor when imagelib extension is used; Update imagelib to proper HTML5 with charset
Brett Zamir
2013-10-29 03:43:10 +00:00
a682236528
Add HTML charset to tests, opera widget
Brett Zamir
2013-10-29 03:32:01 +00:00
2400493cab
Add charset to HTML5 doc (and make more XHTML friendly)
Brett Zamir
2013-10-29 03:09:52 +00:00
e5f3e81a07
Change ext-server_opensave.js to work wholly client-side if download attribute supported (and JSLint in process)
Brett Zamir
2013-10-29 01:26:23 +00:00
f8aeacd7a8
Support PNG, JPEG, BMP, WEBP export formats by change of "Export to PNG" menu item into "Export" with its own pull-down dialog (and a HTML5 range type input element for "quality" selection for JPEG or WEBP files), including changes for the server_opensave extension; change locale key from "export_png" to "export_img" and change the corresponding localized strings (currently CS, DE, ES, FR, IT, NL, PT-BR, RO, SK, all reset to English to avoid translation errors); within the setCustomHandlers() API, deprecate "pngsave" in favor of "exportImage" (chosen to avoid just using the simpler but reserved JS keyword "export") including use within the server_opensave extension; a few JSLint-friendly changes
Brett Zamir
2013-10-28 03:53:30 +00:00
0c88f41818
Very minor commenting issues (sp./clarify comment)
Brett Zamir
2013-10-18 12:31:35 +00:00
009a9e67ce
Note on limitations (these limitations existed previously to the eval() dependency removal)
Brett Zamir
2013-10-14 03:25:35 +00:00
c75661c758
Indent consistency per file
Brett Zamir
2013-10-14 01:50:42 +00:00
80c16aa6ef
Move back to string messages for postMessage for sake of IE9 (though not with eval); avoid IE9 error with localStorage and missing select icon
Brett Zamir
2013-10-14 01:24:52 +00:00
52419049fe
Remove type=text/javascript and trailing whitespace from Wave svg-edit.xml source
Brett Zamir
2013-10-14 00:57:11 +00:00
ffde8814ac
Fix security issue by avoiding use of eval() within postMessage calls between embedAPI and main editor (also namespace the messages and protect the imagelib extension message listener from non-string messages); avoid embedAPI's unneeded randomizing of callback IDs in favor of incrementing; deprecate old embedded_svg_edit API name in favor of JS/JSLint-friendly EmbeddedSVGEdit name (and allow it to be instantiated w/o new keyword); JSLint/HTML5-ize embedAPI files, remove HTML5/browser-optional type="text/javascript", remove unused comments for embedAPI
Brett Zamir
2013-10-13 23:59:32 +00:00
d625e03e89
Remove unnecessary eval() dependency for tooltip hiding (also removed in commented out portion) (though this commit does not convert string-based setTimeout's into function-based ones)
Brett Zamir
2013-10-12 00:04:22 +00:00
Brett Zamir