From c7fe9a646574597adefe3e6fb2b3707112a151aa Mon Sep 17 00:00:00 2001 From: Knut Sveidqvist Date: Tue, 14 May 2024 12:53:41 +0200 Subject: [PATCH 1/3] Fix for proper handling of block-diagram labels --- cypress/integration/other/xss.spec.js | 5 + cypress/platform/xss25.html | 108 ++++++++++++++++++ .../mermaid/src/diagrams/block/blockDB.ts | 8 ++ 3 files changed, 121 insertions(+) create mode 100644 cypress/platform/xss25.html diff --git a/cypress/integration/other/xss.spec.js b/cypress/integration/other/xss.spec.js index 678040f98..d041fa5f4 100644 --- a/cypress/integration/other/xss.spec.js +++ b/cypress/integration/other/xss.spec.js @@ -137,4 +137,9 @@ describe('XSS', () => { cy.wait(1000); cy.get('#the-malware').should('not.exist'); }); + it('should sanitize backticks block diagram labels properly', () => { + cy.visit('http://localhost:9000/xss25.html'); + cy.wait(1000); + cy.get('#the-malware').should('not.exist'); + }); }); diff --git a/cypress/platform/xss25.html b/cypress/platform/xss25.html new file mode 100644 index 000000000..251e1ec23 --- /dev/null +++ b/cypress/platform/xss25.html @@ -0,0 +1,108 @@ + + + + + + + + + + +
Security check
+
+
+
+
+ + + diff --git a/packages/mermaid/src/diagrams/block/blockDB.ts b/packages/mermaid/src/diagrams/block/blockDB.ts index f4881a203..b343a110c 100644 --- a/packages/mermaid/src/diagrams/block/blockDB.ts +++ b/packages/mermaid/src/diagrams/block/blockDB.ts @@ -1,9 +1,11 @@ import type { DiagramDB } from '../../diagram-api/types.js'; import type { BlockConfig, BlockType, Block, ClassDef } from './blockTypes.js'; import * as configApi from '../../config.js'; +import { getConfig } from '../../diagram-api/diagramAPI.js'; import { clear as commonClear } from '../common/commonDb.js'; import { log } from '../../logger.js'; import clone from 'lodash-es/clone.js'; +import common from '../common/common.js'; // Initialize the node database for simple lookups let blockDatabase: Record = {}; @@ -14,9 +16,12 @@ const COLOR_KEYWORD = 'color'; const FILL_KEYWORD = 'fill'; const BG_FILL = 'bgFill'; const STYLECLASS_SEP = ','; +const config = getConfig(); let classes = {} as Record; +const sanitizeText = (txt) => common.sanitizeText(txt, config); + /** * Called when the parser comes across a (style) class definition * @example classDef my-style fill:#f96; @@ -87,6 +92,9 @@ const populateBlockDatabase = (_blockList: Block[] | Block[][], parent: Block): const blockList = _blockList.flat(); const children = []; for (const block of blockList) { + if (block.label) { + block.label = sanitizeText(block.label); + } if (block.type === 'classDef') { addStyleClass(block.id, block.css); continue; From dab26df9c4ca69cc4a8c46a22286a2f63ea9ed3e Mon Sep 17 00:00:00 2001 From: Knut Sveidqvist Date: Tue, 14 May 2024 12:55:39 +0200 Subject: [PATCH 2/3] Fix for proper handling of block-diagram labels --- packages/mermaid/package.json | 2 +- packages/mermaid/src/diagrams/block/blockDB.ts | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/packages/mermaid/package.json b/packages/mermaid/package.json index edb069d98..1175761ac 100644 --- a/packages/mermaid/package.json +++ b/packages/mermaid/package.json @@ -1,6 +1,6 @@ { "name": "mermaid", - "version": "10.9.0", + "version": "10.9.1", "description": "Markdown-ish syntax for generating flowcharts, sequence diagrams, class diagrams, gantt charts and git graphs.", "type": "module", "module": "./dist/mermaid.core.mjs", diff --git a/packages/mermaid/src/diagrams/block/blockDB.ts b/packages/mermaid/src/diagrams/block/blockDB.ts index b343a110c..a9ccdaa0c 100644 --- a/packages/mermaid/src/diagrams/block/blockDB.ts +++ b/packages/mermaid/src/diagrams/block/blockDB.ts @@ -20,7 +20,7 @@ const config = getConfig(); let classes = {} as Record; -const sanitizeText = (txt) => common.sanitizeText(txt, config); +const sanitizeText = (txt:string) => common.sanitizeText(txt, config); /** * Called when the parser comes across a (style) class definition From 8d815f878ce7ba3bc820eb62e36b8a96d1debdbc Mon Sep 17 00:00:00 2001 From: Knut Sveidqvist Date: Tue, 14 May 2024 13:00:45 +0200 Subject: [PATCH 3/3] Lint fix --- packages/mermaid/src/diagrams/block/blockDB.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/mermaid/src/diagrams/block/blockDB.ts b/packages/mermaid/src/diagrams/block/blockDB.ts index a9ccdaa0c..f401495a5 100644 --- a/packages/mermaid/src/diagrams/block/blockDB.ts +++ b/packages/mermaid/src/diagrams/block/blockDB.ts @@ -93,7 +93,7 @@ const populateBlockDatabase = (_blockList: Block[] | Block[][], parent: Block): const children = []; for (const block of blockList) { if (block.label) { - block.label = sanitizeText(block.label); + block.label = sanitizeText(block.label); } if (block.type === 'classDef') { addStyleClass(block.id, block.css);