diff --git a/cypress/helpers/util.js b/cypress/helpers/util.js index 7ec960b97..4d13b3590 100644 --- a/cypress/helpers/util.js +++ b/cypress/helpers/util.js @@ -60,7 +60,7 @@ export const renderGraph = (graphStr, options, api) => { openURLAndVerifyRendering(url, options); }; -const openURLAndVerifyRendering = (url, options, validation = undefined) => { +export const openURLAndVerifyRendering = (url, options, validation = undefined) => { const useAppli = Cypress.env('useAppli'); const name = (options.name || cy.state('runnable').fullTitle()).replace(/\s+/g, '-'); diff --git a/cypress/integration/other/ghsa.spec.js b/cypress/integration/other/ghsa.spec.js index 8f28d9f53..912f35728 100644 --- a/cypress/integration/other/ghsa.spec.js +++ b/cypress/integration/other/ghsa.spec.js @@ -1,4 +1,4 @@ -import { urlSnapshotTest } from '../../helpers/util.js'; +import { urlSnapshotTest, openURLAndVerifyRendering } from '../../helpers/util.js'; describe('CSS injections', () => { it('should not allow CSS injections outside of the diagram', () => { @@ -13,4 +13,11 @@ describe('CSS injections', () => { flowchart: { htmlLabels: false }, }); }); + it('should not allow manipulating styletags using arrowheads', () => { + openURLAndVerifyRendering('http://localhost:9000/xss23-css.html', { + logLevel: 1, + arrowMarkerAbsolute: false, + flowchart: { htmlLabels: true }, + }); + }); }); diff --git a/cypress/platform/xss23-css.html b/cypress/platform/xss23-css.html new file mode 100644 index 000000000..cc5b6f0bf --- /dev/null +++ b/cypress/platform/xss23-css.html @@ -0,0 +1,85 @@ + + + + + + + + + +
Security check
+
+
+
+
+
+ + + diff --git a/docs/config/setup/modules/mermaidAPI.md b/docs/config/setup/modules/mermaidAPI.md index ef04c10c3..b5e48b229 100644 --- a/docs/config/setup/modules/mermaidAPI.md +++ b/docs/config/setup/modules/mermaidAPI.md @@ -96,7 +96,7 @@ mermaid.initialize(config); #### Defined in -[mermaidAPI.ts:667](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/mermaidAPI.ts#L667) +[mermaidAPI.ts:670](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/mermaidAPI.ts#L670) ## Functions @@ -127,7 +127,7 @@ Return the last node appended #### Defined in -[mermaidAPI.ts:306](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/mermaidAPI.ts#L306) +[mermaidAPI.ts:309](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/mermaidAPI.ts#L309) --- @@ -295,7 +295,7 @@ Put the svgCode into an iFrame. Return the iFrame code #### Defined in -[mermaidAPI.ts:285](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/mermaidAPI.ts#L285) +[mermaidAPI.ts:288](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/mermaidAPI.ts#L288) --- @@ -320,4 +320,4 @@ Remove any existing elements from the given document #### Defined in -[mermaidAPI.ts:356](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/mermaidAPI.ts#L356) +[mermaidAPI.ts:359](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/mermaidAPI.ts#L359) diff --git a/packages/mermaid/src/mermaidAPI.ts b/packages/mermaid/src/mermaidAPI.ts index e96407638..755fa8258 100644 --- a/packages/mermaid/src/mermaidAPI.ts +++ b/packages/mermaid/src/mermaidAPI.ts @@ -263,7 +263,10 @@ export const cleanUpSvgCode = ( // Replace marker-end urls with just the # anchor (remove the preceding part of the URL) if (!useArrowMarkerUrls && !inSandboxMode) { - cleanedUpSvg = cleanedUpSvg.replace(/marker-end="url\(.*?#/g, 'marker-end="url(#'); + cleanedUpSvg = cleanedUpSvg.replace( + /marker-end="url\([\d+./:=?A-Za-z-]*?#/g, + 'marker-end="url(#' + ); } cleanedUpSvg = decodeEntities(cleanedUpSvg);