Merge branch 'master'

Conflicts:
	cypress/platform/xss7.html

README.md

@@ -6,7 +6,7 @@
 
 **Thanks to all involved, people committing pull requests, people answering questions! 🙏**
 
-<a href="https://mermaid-js.github.io/mermaid/landing/" alt="Link to landing page for the book The Official Guide To mermaid.js"><img src="https://github.com/mermaid-js/mermaid/blob/master/docs/img/book-banner-pre-release.jpg"></a>
+<a href="https://mermaid-js.github.io/mermaid/landing/" alt="Link to landing page for the book The Official Guide To mermaid.js"><img src="https://github.com/mermaid-js/mermaid/blob/master/docs/img/book-banner-post-release.jpg"></a>
 
 ## About
 

cypress/platform/xss7.html

@@ -54,7 +54,11 @@
         // themeCSS: '.edgePath .path {stroke: red;} .arrowheadPath {fill: red;}',
         logLevel: 0,
         state: {
+<<<<<<< HEAD
           defaultRenderer: 'dagre-d3',
+=======
+          defaultRenderer: 'dagre-wrapper',
+>>>>>>> master
         },
         flowchart: {
           // defaultRenderer: 'dagre-wrapper',
@@ -68,9 +72,9 @@
         // fontFamily: 'courier',
         fontSize: 18,
         curve: 'basis',
+        securityLevel: 'antiscript',
         startOnLoad: false,
-        secure: ['secure', 'securityLevel', 'startOnLoad', 'maxTextSize'],
+        secure: ['secure', 'securityLevel', 'startOnLoad', 'maxTextSize']
-        securityLevel: 'loose',
         // themeVariables: {relationLabelColor: 'red'}
       });
       function callback(){alert('It worked');}
@@ -82,10 +86,10 @@
         document.getElementsByTagName('body')[0].appendChild(div);
         throw new Error('XSS Succeded');
       }
-
+      var diagram = "graph LR\n";
-
+  diagram += " B(<a href='<";
-      var diagram = "stateDiagram-v2\n";
+  diagram += "script></";
-     diagram += "<img/src='1'/onerror=xssAttack()> --> B";
+  diagram += "script>Javascript:xssAttack`1`'>Click)";
   // diagram += "script\u003aalert\u0028document.domain\u0029\` src=x>\"\);\n";
   console.log(diagram);
   // document.querySelector('#diagram').innerHTML = diagram;

docs/index.html

@@ -8,8 +8,8 @@
   <meta name="viewport" content="width=device-width, user-scalable=no, initial-scale=1.0, maximum-scale=1.0, minimum-scale=1.0">
   <!-- <link rel="stylesheet" href="//unpkg.com/docsify/lib/themes/vue.css"> -->
   <link rel="stylesheet" href="theme.css">
-  <!-- <script src="//cdn.jsdelivr.net/npm/mermaid@8.12.0/dist/mermaid.min.js"></script> -->
+  <script src="//cdn.jsdelivr.net/npm/mermaid@8.13.0/dist/mermaid.min.js"></script>
-  <script src="http://localhost:9000/mermaid.js"></script>
+  <!-- <script src="http://localhost:9000/mermaid.js"></script> -->
   <script>
     (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
     (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),

src/diagrams/common/common.js

@@ -29,10 +29,11 @@ export const removeScript = (txt) => {
     }
   }
 
-  rs = rs.replace(/javascript:/g, '#');
+  rs = rs.replace(/script>/gi, '#');
-  rs = rs.replace(/onerror=/g, 'onerror:');
+  rs = rs.replace(/script>/gi, '#');
-  rs = rs.replace(/<iframe/g, '');
+  rs = rs.replace(/javascript:/gi, '#');
-
+  rs = rs.replace(/onerror=/gi, 'onerror:');
+  rs = rs.replace(/<iframe/gi, '');
   return rs;
 };
 
@@ -64,7 +65,7 @@ const sanitizeMore = (text, config) => {
 };
 
 export const sanitizeText = (text, config) => {
-  const txt = sanitizeMore(DOMPurify.sanitize(text), config);
+  const txt = DOMPurify.sanitize(sanitizeMore(text, config));
   return txt;
 };