diff --git a/cypress/integration/other/xss.spec.js b/cypress/integration/other/xss.spec.js
index fa4ca4fc8..678040f98 100644
--- a/cypress/integration/other/xss.spec.js
+++ b/cypress/integration/other/xss.spec.js
@@ -132,4 +132,9 @@ describe('XSS', () => {
cy.wait(1000);
cy.get('#the-malware').should('not.exist');
});
+ it('should sanitize backticks in class names properly', () => {
+ cy.visit('http://localhost:9000/xss24.html');
+ cy.wait(1000);
+ cy.get('#the-malware').should('not.exist');
+ });
});
diff --git a/cypress/platform/knsv2.html b/cypress/platform/knsv2.html
index f9a9f3756..6ade6a2e5 100644
--- a/cypress/platform/knsv2.html
+++ b/cypress/platform/knsv2.html
@@ -58,12 +58,10 @@
- flowchart
- classDef mainCategories fill:#f9d5e5, stroke:#233d4d,stroke-width:2px, font-weight:bold;
- CS(Customer Awareness Journey):::mainCategories
-
-
+ classDiagram
+ `Class
` <|-- `Class2`
+
+
flowchart
Node1:::class1 --> Node2:::class2
Node1:::class1 --> Node3:::class2
diff --git a/cypress/platform/xss10.html b/cypress/platform/xss10.html
index 3a8157fed..79fa97136 100644
--- a/cypress/platform/xss10.html
+++ b/cypress/platform/xss10.html
@@ -42,6 +42,16 @@
font-size: 72px;
}
+
Security check
diff --git a/cypress/platform/xss11.html b/cypress/platform/xss11.html
index 302f39ee9..3b505b741 100644
--- a/cypress/platform/xss11.html
+++ b/cypress/platform/xss11.html
@@ -42,6 +42,16 @@
font-size: 72px;
}
+
Security check
diff --git a/cypress/platform/xss12.html b/cypress/platform/xss12.html
index b1e2c1d0a..75059e8af 100644
--- a/cypress/platform/xss12.html
+++ b/cypress/platform/xss12.html
@@ -42,6 +42,16 @@
font-size: 72px;
}
+
Security check
diff --git a/cypress/platform/xss13.html b/cypress/platform/xss13.html
index 9f505ea7b..9ee2a7304 100644
--- a/cypress/platform/xss13.html
+++ b/cypress/platform/xss13.html
@@ -42,6 +42,16 @@
font-size: 72px;
}
+
Security check
diff --git a/cypress/platform/xss15.html b/cypress/platform/xss15.html
index 3fa6b7151..bfd3f1652 100644
--- a/cypress/platform/xss15.html
+++ b/cypress/platform/xss15.html
@@ -42,6 +42,16 @@
font-size: 72px;
}
+
Security check
diff --git a/cypress/platform/xss16.html b/cypress/platform/xss16.html
index 6f8a734eb..0b8c0c9f7 100644
--- a/cypress/platform/xss16.html
+++ b/cypress/platform/xss16.html
@@ -42,6 +42,16 @@
font-size: 72px;
}
+
Security check
diff --git a/cypress/platform/xss17.html b/cypress/platform/xss17.html
index bd7e1c57e..2a0470126 100644
--- a/cypress/platform/xss17.html
+++ b/cypress/platform/xss17.html
@@ -42,6 +42,16 @@
font-size: 72px;
}
+
Security check
diff --git a/cypress/platform/xss18.html b/cypress/platform/xss18.html
index ccacfadbb..df1bee1dd 100644
--- a/cypress/platform/xss18.html
+++ b/cypress/platform/xss18.html
@@ -42,6 +42,16 @@
font-size: 72px;
}
+
Security check
diff --git a/cypress/platform/xss19.html b/cypress/platform/xss19.html
index 7966abb8c..4d7bb6e08 100644
--- a/cypress/platform/xss19.html
+++ b/cypress/platform/xss19.html
@@ -42,6 +42,16 @@
font-size: 72px;
}
+
Security check
diff --git a/cypress/platform/xss20.html b/cypress/platform/xss20.html
index f290898b2..bbe2dd00b 100644
--- a/cypress/platform/xss20.html
+++ b/cypress/platform/xss20.html
@@ -42,6 +42,16 @@
font-size: 72px;
}
+
Security check
diff --git a/cypress/platform/xss21.html b/cypress/platform/xss21.html
index 7cfa17c9e..be7289b7f 100644
--- a/cypress/platform/xss21.html
+++ b/cypress/platform/xss21.html
@@ -42,6 +42,16 @@
font-size: 72px;
}
+
Security check
diff --git a/cypress/platform/xss23-css.html b/cypress/platform/xss23-css.html
index cc5b6f0bf..c4bc43b6a 100644
--- a/cypress/platform/xss23-css.html
+++ b/cypress/platform/xss23-css.html
@@ -42,6 +42,16 @@
font-size: 72px;
}
+
Security check
diff --git a/cypress/platform/xss24.html b/cypress/platform/xss24.html
new file mode 100644
index 000000000..5ca092d65
--- /dev/null
+++ b/cypress/platform/xss24.html
@@ -0,0 +1,109 @@
+
+
+
+
+
+
+
+
+
+
+ Security check
+
+
+
+
diff --git a/cypress/platform/xss5.html b/cypress/platform/xss5.html
index f7abf7a45..e9855f3f7 100644
--- a/cypress/platform/xss5.html
+++ b/cypress/platform/xss5.html
@@ -42,6 +42,16 @@
font-size: 72px;
}
+
Security check
@@ -84,14 +94,6 @@
function callback() {
alert('It worked');
}
- function xssAttack() {
- const div = document.createElement('div');
- div.id = 'the-malware';
- div.className = 'malware';
- div.innerHTML = 'XSS Succeeded';
- document.getElementsByTagName('body')[0].appendChild(div);
- throw new Error('XSS Succeeded');
- }
let diagram = 'graph LR\n';
diagram += 'B-->D("![]()
+
Security check
diff --git a/cypress/platform/xss7.html b/cypress/platform/xss7.html
index 177b4342c..36abe7b41 100644
--- a/cypress/platform/xss7.html
+++ b/cypress/platform/xss7.html
@@ -42,6 +42,16 @@
font-size: 72px;
}
+
Security check
diff --git a/cypress/platform/xss8.html b/cypress/platform/xss8.html
index 5852c2693..15358b6f0 100644
--- a/cypress/platform/xss8.html
+++ b/cypress/platform/xss8.html
@@ -42,6 +42,16 @@
font-size: 72px;
}
+
Security check
diff --git a/cypress/platform/xss9.html b/cypress/platform/xss9.html
index cf2ad1359..a9c652b59 100644
--- a/cypress/platform/xss9.html
+++ b/cypress/platform/xss9.html
@@ -42,6 +42,16 @@
font-size: 72px;
}
+
Security check
diff --git a/packages/mermaid/src/diagrams/class/classDb.ts b/packages/mermaid/src/diagrams/class/classDb.ts
index b2485267a..45ca1ed16 100644
--- a/packages/mermaid/src/diagrams/class/classDb.ts
+++ b/packages/mermaid/src/diagrams/class/classDb.ts
@@ -36,7 +36,8 @@ let functions: any[] = [];
const sanitizeText = (txt: string) => common.sanitizeText(txt, configApi.getConfig());
-const splitClassNameAndType = function (id: string) {
+const splitClassNameAndType = function (_id: string) {
+ const id = common.sanitizeText(_id, configApi.getConfig());
let genericType = '';
let className = id;
@@ -49,7 +50,8 @@ const splitClassNameAndType = function (id: string) {
return { className: className, type: genericType };
};
-export const setClassLabel = function (id: string, label: string) {
+export const setClassLabel = function (_id: string, label: string) {
+ const id = common.sanitizeText(_id, configApi.getConfig());
if (label) {
label = sanitizeText(label);
}
@@ -64,22 +66,25 @@ export const setClassLabel = function (id: string, label: string) {
* @param id - Id of the class to add
* @public
*/
-export const addClass = function (id: string) {
+export const addClass = function (_id: string) {
+ const id = common.sanitizeText(_id, configApi.getConfig());
const { className, type } = splitClassNameAndType(id);
// Only add class if not exists
if (Object.hasOwn(classes, className)) {
return;
}
-
- classes[className] = {
- id: className,
+ // alert('Adding class: ' + className);
+ const name = common.sanitizeText(className, configApi.getConfig());
+ // alert('Adding class after: ' + name);
+ classes[name] = {
+ id: name,
type: type,
- label: className,
+ label: name,
cssClasses: [],
methods: [],
members: [],
annotations: [],
- domId: MERMAID_DOM_ID_PREFIX + className + '-' + classCounter,
+ domId: MERMAID_DOM_ID_PREFIX + name + '-' + classCounter,
} as ClassNode;
classCounter++;
@@ -91,7 +96,8 @@ export const addClass = function (id: string) {
* @param id - class ID to lookup
* @public
*/
-export const lookUpDomId = function (id: string): string {
+export const lookUpDomId = function (_id: string): string {
+ const id = common.sanitizeText(_id, configApi.getConfig());
if (id in classes) {
return classes[id].domId;
}
@@ -296,7 +302,8 @@ export const setClickEvent = function (ids: string, functionName: string, functi
setCssClass(ids, 'clickable');
};
-const setClickFunc = function (domId: string, functionName: string, functionArgs: string) {
+const setClickFunc = function (_domId: string, functionName: string, functionArgs: string) {
+ const domId = common.sanitizeText(_domId, configApi.getConfig());
const config = configApi.getConfig();
if (config.securityLevel !== 'loose') {
return;