add security level antiscript option, to let use rich html format but…

… remove all script element.
mermaid-js · Jul 5, 2020 · fce2a16 · fce2a16
1 parent 5242672
commit fce2a16
Show file tree

Hide file tree

Showing 3 changed files with 66 additions and 8 deletions.
diff --git a/src/config.js b/src/config.js
@@ -77,11 +77,12 @@ const config = {
   /**
    *| Parameter | Description |Type | Required | Values|
    *| --- | --- | --- | --- | --- |
-   *| securitylevel | Level of trust for parsed diagram|String | Required | Strict, Loose |
+   *| securitylevel | Level of trust for parsed diagram|String | Required | Strict, Loose, antiscript |
    *
    ***Notes:
    *-   **strict**: (**default**) tags in text are encoded, click functionality is disabeled
    *-   **loose**: tags in text are allowed, click functionality is enabled
+   *-   **antiscript**: html tags in text are allowed, (only script element is removed), click functionality is enabled
    */
   securityLevel: 'strict',
 

diff --git a/src/diagrams/common/common.js b/src/diagrams/common/common.js
@@ -5,6 +5,30 @@ export const getRows = s => {
   return str.split('#br#');
 };
 
+export const removeScript = txt => {
+  var rs = '';
+  var idx = 0;
+
+  while (idx >= 0) {
+    idx = txt.indexOf('<script');
+    if (idx >= 0) {
+      rs += txt.substr(0, idx);
+      txt = txt.substr(idx + 1);
+
+      idx = txt.indexOf('</script>');
+      if (idx >= 0) {
+        idx += 9;
+        txt = txt.substr(idx);
+      }
+    } else {
+      rs += txt;
+      idx = -1;
+      break;
+    }
+  }
+  return rs;
+};
+
 export const sanitizeText = (text, config) => {
   let txt = text;
   let htmlLabels = true;
@@ -14,12 +38,18 @@ export const sanitizeText = (text, config) => {
   )
     htmlLabels = false;
 
-  if (config.securityLevel !== 'loose' && htmlLabels) {
-    // eslint-disable-line
-    txt = breakToPlaceholder(txt);
-    txt = txt.replace(/</g, '&lt;').replace(/>/g, '&gt;');
-    txt = txt.replace(/=/g, '&equals;');
-    txt = placeholderToBreak(txt);
+  if (htmlLabels) {
+    var level = config.securityLevel;
+
+    if (level == 'antiscript') {
+      txt = removeScript(txt);
+    } else if (level !== 'loose') {
+      // eslint-disable-line
+      txt = breakToPlaceholder(txt);
+      txt = txt.replace(/</g, '&lt;').replace(/>/g, '&gt;');
+      txt = txt.replace(/=/g, '&equals;');
+      txt = placeholderToBreak(txt);
+    }
   }
 
   return txt;
@@ -48,5 +78,6 @@ export default {
   sanitizeText,
   hasBreaks,
   splitBreaks,
-  lineBreakRegex
+  lineBreakRegex,
+  removeScript
 };
diff --git a/src/diagrams/common/common.spec.js b/src/diagrams/common/common.spec.js
@@ -0,0 +1,26 @@
+import { removeScript } from './common';
+
+describe('when securityLevel is antiscript, all script must be removed', function() {
+  it('should remove all script block, script inline.', function() {
+    const labelString = `1
+		Act1: Hello 1<script src="http://abc.com/script1.js"></script>1
+		<b>Act2</b>:
+		1<script>
+			alert('script run......');
+		</script>1
+	1`;
+
+	const result = removeScript(labelString);
+	const hasScript = (result.indexOf("script") >= 0);
+    expect(hasScript).toEqual(false);
+
+	const exactlyString = `1
+		Act1: Hello 11
+		<b>Act2</b>:
+		11
+	1`;
+
+	const isEqual = (result == exactlyString);
+    expect(isEqual).toEqual(true);
+  });
+});