— so the SAME markup renders in the app and in the standalone HTML export (which inlines report.css) with no report.css additions. Engine: contentEditable + document.execCommand (styleWithCSS on). The editor is UNCONTROLLED (innerHTML is written once on mount and only re-synced from the prop while NOT focused) to avoid caret jumps. Exposes: window.RichText and the pure helpers richHtml / isEmptyHtml / sanitizeHtml (used by the report at render time), plus window.RichTextInternals for tests. ============================================================ */ (function () { // Named font sizes → px. "normal" is the body default and emits NO span. const SIZE_PX = { small: 11, normal: 13, medium: 16, big: 20, title: 28 }; // A fixed, on-brand colour palette (ink / blue / red / green / gold / grey). const COLORS = ["#14242E", "#15B4E7", "#C21626", "#1E9E6A", "#B07E0C", "#7E8E94"]; const ALLOWED_STYLE = new Set(["color", "font-size", "text-align", "font-weight", "font-style", "text-decoration"]); // ---- per-profile tag policy ---------------------------------- // The editor has two sanitisation profiles. "prose" is the original narrow // set used by the report-bound fields (description / footer / notes / reason); // "doc" is a superset used only by the data-room HTML-document editor. A tag // maps to `true` (allowed, only a filtered `style` survives) or to a map of // per-attribute validators (each returns a cleaned value to keep, or null/"" // to drop the attribute). const PROSE_TAGS = { B: true, STRONG: true, I: true, EM: true, U: true, BR: true, DIV: true, P: true, SPAN: true }; function escapeHtml(s) { return String(s == null ? "" : s).replace(/[&<>"]/g, c => ({ "&": "&", "<": "<", ">": ">", '"': """ }[c])); } // Escape a value for safe emission inside a double-quoted attribute (regex path). function escapeAttr(s) { return String(s == null ? "" : s).replace(/[&"]/g, c => (c === "&" ? "&" : """)); } // ---- asset-token helpers ------------------------------------- // Stored doc HTML keeps bare /api/documents/asset/ srcs (no token); the // auth token is appended only for live display/editing and stripped on save, // so saved markup never carries a (user-specific, expiring) token. function stripAssetTokens(url) { return String(url == null ? "" : url).replace( /^(\/api\/documents\/asset\/[^?#]+)(?:\?token=[^#]*)?(#.*)?$/i, (m, path, frag) => path + (frag || "") ); } function withAssetTokens(html) { const t = (typeof window !== "undefined" && window.api && window.api.token && window.api.token()) || ""; if (!t) return String(html == null ? "" : html); return String(html).replace( /(\ssrc\s*=\s*["'])(\/api\/documents\/asset\/[^"'?#]+)(["'])/gi, (m, p1, url, p3) => p1 + url + "?token=" + t + p3 ); } // ---- attribute validators (pure; exported for tests) ---------- function validHref(v) { v = String(v == null ? "" : v).trim(); if (!v) return null; if (/^(javascript|data|vbscript|file):/i.test(v)) return null; // block dangerous schemes if (/^(https?:|mailto:)/i.test(v)) return v; if (/^(\/|\.{0,2}\/|#)/.test(v)) return v; // root / relative / anchor if (!/:/.test(v)) return v; // scheme-less relative return null; // unknown scheme → drop } function validImgSrc(v) { v = stripAssetTokens(String(v == null ? "" : v).trim()); if (!v) return null; if (/^https?:\/\//i.test(v)) return v; // absolute http(s) if (/^data:image\/(png|jpe?g|gif|webp|avif|svg\+xml);/i.test(v)) return v; // data:image/* only if (/^\/[^/]/.test(v)) return v; // root-relative /api/… (rejects //host) return null; } function validDim(v) { v = String(v == null ? "" : v).trim(); return /^\d{1,4}$/.test(v) ? v : null; } function keepShort(v) { const s = String(v == null ? "" : v); return s.length > 512 ? s.slice(0, 512) : s; } const DOC_TAGS = Object.assign({}, PROSE_TAGS, { H1: true, H2: true, H3: true, UL: true, OL: true, LI: true, BLOCKQUOTE: true, HR: true, TABLE: true, THEAD: true, TBODY: true, TR: true, TD: true, TH: true, A: { href: validHref }, IMG: { src: validImgSrc, alt: keepShort, width: validDim, height: validDim }, }); const PROFILES = { prose: { tags: PROSE_TAGS }, doc: { tags: DOC_TAGS } }; function profileOf(p) { return PROFILES[p] || PROFILES.prose; } // A value is "HTML" once it carries a real tag (an opener/closer that closes // with a >). "a) and "x < y" stay plain text and get escaped. function isHtml(v) { return /<\/?[a-z][\s\S]*>/i.test(v || ""); } // Treats
,

, ,

etc. as empty so the cover's // `{description && …}` guard still hides the block for "blank" rich values. function isEmptyHtml(v) { if (v == null) return true; const txt = String(v) .replace(//gi, "") .replace(/<[^>]+>/g, "") .replace(/ | /gi, " ") .replace(/\s+/g, ""); return txt === ""; } // Has the modal draft actually diverged from the value it opened with? Two // markups that are both "blank" (see isEmptyHtml) count as unchanged, so a // stray
the engine emits never triggers a spurious "discard?" prompt. function draftDirty(original, draft) { if (isEmptyHtml(original) && isEmptyHtml(draft)) return false; return String(original == null ? "" : original) !== String(draft == null ? "" : draft); } // Keep only whitelisted declarations; drop url()/expression/javascript: and // absurdly long values. Returns a clean "prop:val;prop:val" string. function safeStyle(decl) { const out = []; String(decl || "").split(";").forEach(part => { const i = part.indexOf(":"); if (i < 0) return; const prop = part.slice(0, i).trim().toLowerCase(); const val = part.slice(i + 1).trim(); if (!ALLOWED_STYLE.has(prop)) return; if (/url\s*\(|expression|javascript:/i.test(val)) return; if (!val || val.length > 64) return; out.push(prop + ":" + val); }); return out.join(";"); } // Regex sanitizer — the contract used in tests (the vm sandbox has no // DOMParser) and the fallback when DOMParser is unavailable. Strips //