+
+
+
+
+
diff --git a/cypress/platform/xss17.html b/cypress/platform/xss17.html
new file mode 100644
index 0000000000..26f6a208a2
--- /dev/null
+++ b/cypress/platform/xss17.html
@@ -0,0 +1,106 @@
+
+
+
+
+
+
+
+
+
+
diff --git a/package.json b/package.json
index bb2fd08551..1449d05d56 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
{
"name": "mermaid",
- "version": "8.13.6",
+ "version": "8.13.8",
"description": "Markdownish syntax for generating flowcharts, sequence diagrams, class diagrams, gantt charts and git graphs.",
"main": "dist/mermaid.core.js",
"module": "dist/mermaid.esm.min.mjs",
diff --git a/src/diagrams/common/common.spec.js b/src/diagrams/common/common.spec.js
index e71400479d..967a8d3582 100644
--- a/src/diagrams/common/common.spec.js
+++ b/src/diagrams/common/common.spec.js
@@ -1,4 +1,4 @@
-import { removeScript, removeEscapes } from './common';
+import { sanitizeText, removeScript, removeEscapes } from './common';
describe('when securityLevel is antiscript, all script must be removed', function () {
it('should remove all script block, script inline.', function () {
@@ -69,3 +69,15 @@ describe('remove escape code in text', function () {
expect(result).toEqual('script:');
});
});
+
+describe('Sanitize text', function () {
+ it('should remove script tag', function () {
+ const maliciousStr = 'javajavascript:script:alert(1)';
+ const result = sanitizeText(maliciousStr, {
+ securityLevel: 'strict',
+ flowchart: { htmlLabels: true },
+ });
+ console.log('result', result);
+ expect(result).not.toContain('javascript:alert(1)');
+ });
+});
diff --git a/src/diagrams/sequence/svgDraw.js b/src/diagrams/sequence/svgDraw.js
index cd0058bbf3..ea2340eae2 100644
--- a/src/diagrams/sequence/svgDraw.js
+++ b/src/diagrams/sequence/svgDraw.js
@@ -1,5 +1,6 @@
import common from '../common/common';
import { addFunction } from '../../interactionDb';
+import { sanitizeUrl } from '@braintree/sanitize-url';
export const drawRect = function (elem, rectData) {
const rectElem = elem.append('rect');
@@ -19,12 +20,12 @@ export const drawRect = function (elem, rectData) {
return rectElem;
};
-const sanitizeUrl = function (s) {
- return s
- .replace(/&/g, '&')
- .replace(/ {
addFunction(() => {
@@ -1055,4 +1056,5 @@ export default {
popupMenu,
popdownMenu,
fixLifeLineHeights,
+ sanitizeUrl,
};
diff --git a/src/diagrams/sequence/svgDraw.spec.js b/src/diagrams/sequence/svgDraw.spec.js
index 755b8cc246..eb9730c773 100644
--- a/src/diagrams/sequence/svgDraw.spec.js
+++ b/src/diagrams/sequence/svgDraw.spec.js
@@ -1,4 +1,4 @@
-const svgDraw = require('./svgDraw');
+const svgDraw = require('./svgDraw').default;
const { MockD3 } = require('d3');
describe('svgDraw', function () {
@@ -124,4 +124,18 @@ describe('svgDraw', function () {
expect(rect.lower).toHaveBeenCalled();
});
});
+ describe('sanitizeUrl', function () {
+ it('it should sanitize malicious urls', function () {
+ const maliciousStr = 'javascript:script:alert(1)';
+ const result = svgDraw.sanitizeUrl(maliciousStr);
+ console.log('result', result);
+ expect(result).not.toContain('javascript:alert(1)');
+ });
+ it('it should not sanitize non dangerous urls', function () {
+ const maliciousStr = 'javajavascript:script:alert(1)';
+ const result = svgDraw.sanitizeUrl(maliciousStr);
+ console.log('result', result);
+ expect(result).not.toContain('javascript:alert(1)');
+ });
+ });
});