diff --git a/src/diagrams/common/common.js b/src/diagrams/common/common.js index 975bd617661..cb89b16441e 100644 --- a/src/diagrams/common/common.js +++ b/src/diagrams/common/common.js @@ -5,6 +5,30 @@ export const getRows = s => { return str.split('#br#'); }; +const removeScript = txt => { + var rs = ''; + var idx = 0; + + while (idx >= 0) { + idx = txt.indexOf('= 0) { + rs += txt.substr(0, idx); + txt = txt.substr(idx + 1); + + idx = txt.indexOf(''); + if (idx >= 0) { + idx += 9; + txt = txt.substr(idx); + } + } else { + rs += txt; + idx = -1; + break; + } + } + return rs; +}; + export const sanitizeText = (text, config) => { let txt = text; let htmlLabels = true; @@ -14,12 +38,18 @@ export const sanitizeText = (text, config) => { ) htmlLabels = false; - if (config.securityLevel !== 'loose' && htmlLabels) { - // eslint-disable-line - txt = breakToPlaceholder(txt); - txt = txt.replace(//g, '>'); - txt = txt.replace(/=/g, '='); - txt = placeholderToBreak(txt); + if (htmlLabels) { + var level = config.securityLevel; + + if (level == 'antiscript') { + txt = removeScript(txt); + } else if (level !== 'loose') { + // eslint-disable-line + txt = breakToPlaceholder(txt); + txt = txt.replace(//g, '>'); + txt = txt.replace(/=/g, '='); + txt = placeholderToBreak(txt); + } } return txt; diff --git a/src/mermaidAPI.js b/src/mermaidAPI.js index cfeea285ced..9da08a86208 100644 --- a/src/mermaidAPI.js +++ b/src/mermaidAPI.js @@ -125,6 +125,7 @@ const config = { /** * Sets the level of trust to be used on the parsed diagrams. * * **strict**: (**default**) tags in text are encoded, click functionality is disabeled + * * **antiscript**: tags in text are allowed, (except script is removed), click functionality is enabled * * **loose**: tags in text are allowed, click functionality is enabled */ securityLevel: 'strict',