add security level antiscript option, to let use rich html format but…

… remove all script element.

src/diagrams/common/common.js

@@ -5,6 +5,30 @@ export const getRows = s => {
   return str.split('#br#');
 };
 
+const removeScript = txt => {
+  var rs = '';
+  var idx = 0;
+
+  while (idx >= 0) {
+    idx = txt.indexOf('<script');
+    if (idx >= 0) {
+      rs += txt.substr(0, idx);
+      txt = txt.substr(idx + 1);
+
+      idx = txt.indexOf('</script>');
+      if (idx >= 0) {
+        idx += 9;
+        txt = txt.substr(idx);
+      }
+    } else {
+      rs += txt;
+      idx = -1;
+      break;
+    }
+  }
+  return rs;
+};
+
 export const sanitizeText = (text, config) => {
   let txt = text;
   let htmlLabels = true;
@@ -14,12 +38,18 @@ export const sanitizeText = (text, config) => {
   )
     htmlLabels = false;
 
-  if (config.securityLevel !== 'loose' && htmlLabels) {
-    // eslint-disable-line
-    txt = breakToPlaceholder(txt);
-    txt = txt.replace(/</g, '&lt;').replace(/>/g, '&gt;');
-    txt = txt.replace(/=/g, '&equals;');
-    txt = placeholderToBreak(txt);
+  if (htmlLabels) {
+    var level = config.securityLevel;
+
+    if (level == 'antiscript') {
+      txt = removeScript(txt);
+    } else if (level !== 'loose') {
+      // eslint-disable-line
+      txt = breakToPlaceholder(txt);
+      txt = txt.replace(/</g, '&lt;').replace(/>/g, '&gt;');
+      txt = txt.replace(/=/g, '&equals;');
+      txt = placeholderToBreak(txt);
+    }
   }
 
   return txt;

src/mermaidAPI.js

@@ -125,6 +125,7 @@ const config = {
   /**
    * Sets the level of trust to be used on the parsed diagrams.
    *  * **strict**: (**default**) tags in text are encoded, click functionality is disabeled
+   *  * **antiscript**: tags in text are allowed, (except script is removed), click functionality is enabled
    *  * **loose**: tags in text are allowed, click functionality is enabled
    */
   securityLevel: 'strict',