[Bug]: Custom link protocols no longer possible with the latest link extension update

[tgv1975]

Affected Packages

extension-link

Version(s)

2.10.4

Bug Description

The latest version (2.10.4) introduces a so-called "XSS-prevention" measure by forbidding inserting links with arbitrary/custom protocols like, for example: namespace://my-custom-resource, while restricting protocols to a hardcoded whitelist that cannot be extended by the extension consumers, as far as I can tell.

This prevents the use of link hrefs based on custom protocols that would later be replaced in post-processing independent of TipTap, or even be used as such inside TipTap-generated content deployed in certain environments where those protocols make sense.

I would argue that TipTap is overstepping with this change, as it's a headless WYSIWYG editor that should not make any judgement on stuff beyond an editor's scope (accept user input, format it, output the result).

While certainly crucial, XSS protection should not be the job of the editor. It should be up to the consumer of the link extension to sanitize the href before allowing it or not. Putting this check inside the extension makes it way too opinionated and rigid, and this approach might open de floodgates for other such interventions that really do not belong in a rich text editor. Also, this preventative measure does very little in the way of actually preventing more sophisticated, real-life XSS via links. XSS protection should be dealt with outside TipTap, as it's a huge scope in itself.

I would therefore kindly suggest that either:

• this change is reverted (ideally, thus preserving the initial simplicity of the extension) or
• at least provide a parametric way to specify the allowed protocols (this would likely add even more unwarranted complexity)

Thanks for considering this and for your hard work!

Browser Used

Chrome

Code Example URL

No response

Expected Behavior

When creating a link in TipTap, I should be able to put anything in the link href, any string, any protocol, without restriction. Advanced content sanitization is outside the scope of a generic WYSIWYG editor.

Additional Context (Optional)

n/a

Dependency Updates

• Yes, I've updated all my dependencies.

[tgv1975]

Upon more tinkering, discovered that the protocols config of the Link extension still works:

new Editor({
            ...           
            extensions: [            
                Link.configure({            
                    protocols: ['my-custom-protocol']
                }),
            ...
           ]
});

Will close this issue, leaving it as-is, to show in future searches and help folks running into this.