feat(news): replace django-ckeditor (CKEditor 4) with django-prose-editor (#1269)

[jonfroehlich]

Closes #1269. Replaces django-ckeditor (CKEditor 4 — EOL, unpatched XSS, the most fragile dependency blocking the Django 6.1 LTS upgrade) with django-prose-editor (ProseMirror-based, MIT) for the News editor — the only model using a rich-text field.

Why django-prose-editor

MIT-licensed with no editor-vendor licensing/branding regime (unlike CKEditor 5 / TinyMCE, which both re-introduce license-key churn); lightweight; the django-ckeditor maintainer himself migrated to it. Markdown editors were ruled out because News.content is stored as raw HTML (a Markdown switch would mean a lossy HTML→MD conversion of every post).

Migration is near-lossless (validated)

Ran 51 real production posts through prose-editor's actual nh3 sanitizer (extension-derived allowlist). The only markup dropped across the entire corpus was inline style on <img> (mostly width:100%); all text, links, lists, blockquotes, headings, code, and images survive. No tables/iframes/embeds exist in any post. The field swap is TEXT→TEXT (no schema change); content is sanitized on save.

What changed

• News.content → ProseEditorField(extensions=…, sanitize=True).
• In-body image upload: prose-editor has no native upload, so a staff-only picker view (website/views/news_image_upload.py) is wired to the Figure pickerUrl via the CKEditor-4 filebrowser callback protocol. Reuses media/uploads/ + get_ckeditor_image_filename, validates with validate_image_upload (rejects SVG/HTML), and collects alt text at upload time.
• "Edit HTML" source view enabled (adds nothing to the sanitize allowlist, so source edits are still cleaned on save).
• Responsive images by default: prose-editor drops inline img dimensions on save, and the idempotent normalize_news_image_styles command (wired into docker-entrypoint.sh) strips them from legacy rows so the existing .news-item-content img CSS governs sizing. Eliminates the old manual "set width:100%, erase height in source" ritual.
• Admin editor given a usable min-height (news_admin.css).
• Removed ckeditor/ckeditor_uploader from INSTALLED_APPS, the CKEDITOR_* settings, the ckeditor/ URL include, and the dependency.

Migration shim (temporary; cleanup tracked in #1317)

Gitignored, per-environment historical migrations (0001–0003) import ckeditor_uploader.fields at load time, and the entrypoint re-imports all migrations on every start. Removing the package would crash startup everywhere, and we can't edit prod's migration files. A small in-repo ckeditor_uploader/ shim (a stub RichTextUploadingField(TextField)) keeps that import resolving — mirroring the existing image_cropping in-repo module. It can be deleted once the migrations-in-Git cleanup (#1317) lands; commented there.

Testing

• 296 tests pass including new regression tests (website/tests/test_news_prose_editor.py): sanitize fidelity, upload endpoint auth/callback/rejection, admin widget rendering, normalizer idempotency.
• Verified on a clean image rebuild: startup runs makemigrations/migrate cleanly (shim + AlterField), the normalizer runs, the admin renders the editor with working upload + source view.
• Pa11y: no new violations introduced (pre-existing site-wide color-contrast debt unchanged; the News editor is admin-only/behind login and not scanned).

Screenshot of new editor

Deploy note

Intentionally no SemVer tag in this PR — merging to master deploys to -test only. Will tag for prod after auditing news pages on -test. Version bumped to 2.13.0.

🤖 Generated with Claude Code