From 47acc1e423d6922f006a32f6fbeb5e72f57790d0 Mon Sep 17 00:00:00 2001 From: Knut Sveidqvist Date: Fri, 29 Sep 2023 13:38:00 +0200 Subject: [PATCH] Fix for issue with backticks in ids in classDiagrams --- cypress/integration/other/xss.spec.js | 5 + cypress/platform/knsv2.html | 10 +- cypress/platform/xss10.html | 10 ++ cypress/platform/xss11.html | 10 ++ cypress/platform/xss12.html | 10 ++ cypress/platform/xss13.html | 10 ++ cypress/platform/xss15.html | 10 ++ cypress/platform/xss16.html | 10 ++ cypress/platform/xss17.html | 10 ++ cypress/platform/xss18.html | 10 ++ cypress/platform/xss19.html | 10 ++ cypress/platform/xss20.html | 10 ++ cypress/platform/xss21.html | 10 ++ cypress/platform/xss23-css.html | 10 ++ cypress/platform/xss24.html | 109 ++++++++++++++++++ cypress/platform/xss5.html | 18 +-- cypress/platform/xss6.html | 10 ++ cypress/platform/xss7.html | 10 ++ cypress/platform/xss8.html | 10 ++ cypress/platform/xss9.html | 10 ++ .../mermaid/src/diagrams/class/classDb.ts | 27 +++-- 21 files changed, 305 insertions(+), 24 deletions(-) create mode 100644 cypress/platform/xss24.html diff --git a/cypress/integration/other/xss.spec.js b/cypress/integration/other/xss.spec.js index fa4ca4fc8..678040f98 100644 --- a/cypress/integration/other/xss.spec.js +++ b/cypress/integration/other/xss.spec.js @@ -132,4 +132,9 @@ describe('XSS', () => { cy.wait(1000); cy.get('#the-malware').should('not.exist'); }); + it('should sanitize backticks in class names properly', () => { + cy.visit('http://localhost:9000/xss24.html'); + cy.wait(1000); + cy.get('#the-malware').should('not.exist'); + }); }); diff --git a/cypress/platform/knsv2.html b/cypress/platform/knsv2.html index f9a9f3756..6ade6a2e5 100644 --- a/cypress/platform/knsv2.html +++ b/cypress/platform/knsv2.html @@ -58,12 +58,10 @@ 
-      flowchart
-        classDef mainCategories fill:#f9d5e5, stroke:#233d4d,stroke-width:2px, font-weight:bold;
-        CS(Customer Awareness Journey):::mainCategories
-
- 
+      classDiagram
+  `Class` <|-- `Class2`
+
+ 
 flowchart
 Node1:::class1 --> Node2:::class2
 Node1:::class1 --> Node3:::class2
diff --git a/cypress/platform/xss10.html b/cypress/platform/xss10.html
index 3a8157fed..79fa97136 100644
--- a/cypress/platform/xss10.html
+++ b/cypress/platform/xss10.html
@@ -42,6 +42,16 @@
         font-size: 72px;
       }
     
+    
   
   
     
Security check

diff --git a/cypress/platform/xss11.html b/cypress/platform/xss11.html
index 302f39ee9..3b505b741 100644
--- a/cypress/platform/xss11.html
+++ b/cypress/platform/xss11.html
@@ -42,6 +42,16 @@
         font-size: 72px;
       }
     
+    
   
   
     
Security check

diff --git a/cypress/platform/xss12.html b/cypress/platform/xss12.html
index b1e2c1d0a..75059e8af 100644
--- a/cypress/platform/xss12.html
+++ b/cypress/platform/xss12.html
@@ -42,6 +42,16 @@
         font-size: 72px;
       }
     
+    
   
   
     
Security check

diff --git a/cypress/platform/xss13.html b/cypress/platform/xss13.html
index 9f505ea7b..9ee2a7304 100644
--- a/cypress/platform/xss13.html
+++ b/cypress/platform/xss13.html
@@ -42,6 +42,16 @@
         font-size: 72px;
       }
     
+    
   
   
     
Security check

diff --git a/cypress/platform/xss15.html b/cypress/platform/xss15.html
index 3fa6b7151..bfd3f1652 100644
--- a/cypress/platform/xss15.html
+++ b/cypress/platform/xss15.html
@@ -42,6 +42,16 @@
         font-size: 72px;
       }
     
+    
   
   
     
Security check

diff --git a/cypress/platform/xss16.html b/cypress/platform/xss16.html
index 6f8a734eb..0b8c0c9f7 100644
--- a/cypress/platform/xss16.html
+++ b/cypress/platform/xss16.html
@@ -42,6 +42,16 @@
         font-size: 72px;
       }
     
+    
   
   
     
Security check

diff --git a/cypress/platform/xss17.html b/cypress/platform/xss17.html
index bd7e1c57e..2a0470126 100644
--- a/cypress/platform/xss17.html
+++ b/cypress/platform/xss17.html
@@ -42,6 +42,16 @@
         font-size: 72px;
       }
     
+    
   
   
     
Security check

diff --git a/cypress/platform/xss18.html b/cypress/platform/xss18.html
index ccacfadbb..df1bee1dd 100644
--- a/cypress/platform/xss18.html
+++ b/cypress/platform/xss18.html
@@ -42,6 +42,16 @@
         font-size: 72px;
       }
     
+    
   
   
     
Security check

diff --git a/cypress/platform/xss19.html b/cypress/platform/xss19.html
index 7966abb8c..4d7bb6e08 100644
--- a/cypress/platform/xss19.html
+++ b/cypress/platform/xss19.html
@@ -42,6 +42,16 @@
         font-size: 72px;
       }
     
+    
   
   
     
Security check

diff --git a/cypress/platform/xss20.html b/cypress/platform/xss20.html
index f290898b2..bbe2dd00b 100644
--- a/cypress/platform/xss20.html
+++ b/cypress/platform/xss20.html
@@ -42,6 +42,16 @@
         font-size: 72px;
       }
     
+    
   
   
     
Security check

diff --git a/cypress/platform/xss21.html b/cypress/platform/xss21.html
index 7cfa17c9e..be7289b7f 100644
--- a/cypress/platform/xss21.html
+++ b/cypress/platform/xss21.html
@@ -42,6 +42,16 @@
         font-size: 72px;
       }
     
+    
   
   
     
Security check

diff --git a/cypress/platform/xss23-css.html b/cypress/platform/xss23-css.html
index cc5b6f0bf..c4bc43b6a 100644
--- a/cypress/platform/xss23-css.html
+++ b/cypress/platform/xss23-css.html
@@ -42,6 +42,16 @@
         font-size: 72px;
       }
     
+    
   
   
     
Security check

diff --git a/cypress/platform/xss24.html b/cypress/platform/xss24.html
new file mode 100644
index 000000000..5ca092d65
--- /dev/null
+++ b/cypress/platform/xss24.html
@@ -0,0 +1,109 @@
+
+  
+    
+    
+    
+    
+    
+    
+  
+  
+    
Security check

+    

+      

+      

+    

+    
+  
+
diff --git a/cypress/platform/xss5.html b/cypress/platform/xss5.html
index f7abf7a45..e9855f3f7 100644
--- a/cypress/platform/xss5.html
+++ b/cypress/platform/xss5.html
@@ -42,6 +42,16 @@
         font-size: 72px;
       }
     
+    
   
   
     
Security check

@@ -84,14 +94,6 @@
       function callback() {
         alert('It worked');
       }
-      function xssAttack() {
-        const div = document.createElement('div');
-        div.id = 'the-malware';
-        div.className = 'malware';
-        div.innerHTML = 'XSS Succeeded';
-        document.getElementsByTagName('body')[0].appendChild(div);
-        throw new Error('XSS Succeeded');
-      }
       let diagram = 'graph LR\n';
       diagram += 'B-->D("
+    
   
   
     
Security check

diff --git a/cypress/platform/xss7.html b/cypress/platform/xss7.html
index 177b4342c..36abe7b41 100644
--- a/cypress/platform/xss7.html
+++ b/cypress/platform/xss7.html
@@ -42,6 +42,16 @@
         font-size: 72px;
       }
     
+    
   
   
     
Security check

diff --git a/cypress/platform/xss8.html b/cypress/platform/xss8.html
index 5852c2693..15358b6f0 100644
--- a/cypress/platform/xss8.html
+++ b/cypress/platform/xss8.html
@@ -42,6 +42,16 @@
         font-size: 72px;
       }
     
+    
   
   
     
Security check

diff --git a/cypress/platform/xss9.html b/cypress/platform/xss9.html
index cf2ad1359..a9c652b59 100644
--- a/cypress/platform/xss9.html
+++ b/cypress/platform/xss9.html
@@ -42,6 +42,16 @@
         font-size: 72px;
       }
     
+    
   
   
     
Security check

diff --git a/packages/mermaid/src/diagrams/class/classDb.ts b/packages/mermaid/src/diagrams/class/classDb.ts
index b2485267a..45ca1ed16 100644
--- a/packages/mermaid/src/diagrams/class/classDb.ts
+++ b/packages/mermaid/src/diagrams/class/classDb.ts
@@ -36,7 +36,8 @@ let functions: any[] = [];
 
 const sanitizeText = (txt: string) => common.sanitizeText(txt, configApi.getConfig());
 
-const splitClassNameAndType = function (id: string) {
+const splitClassNameAndType = function (_id: string) {
+  const id = common.sanitizeText(_id, configApi.getConfig());
   let genericType = '';
   let className = id;
 
@@ -49,7 +50,8 @@ const splitClassNameAndType = function (id: string) {
   return { className: className, type: genericType };
 };
 
-export const setClassLabel = function (id: string, label: string) {
+export const setClassLabel = function (_id: string, label: string) {
+  const id = common.sanitizeText(_id, configApi.getConfig());
   if (label) {
     label = sanitizeText(label);
   }
@@ -64,22 +66,25 @@ export const setClassLabel = function (id: string, label: string) {
  * @param id - Id of the class to add
  * @public
  */
-export const addClass = function (id: string) {
+export const addClass = function (_id: string) {
+  const id = common.sanitizeText(_id, configApi.getConfig());
   const { className, type } = splitClassNameAndType(id);
   // Only add class if not exists
   if (Object.hasOwn(classes, className)) {
     return;
   }
-
-  classes[className] = {
-    id: className,
+  // alert('Adding class: ' + className);
+  const name = common.sanitizeText(className, configApi.getConfig());
+  // alert('Adding class after: ' + name);
+  classes[name] = {
+    id: name,
     type: type,
-    label: className,
+    label: name,
     cssClasses: [],
     methods: [],
     members: [],
     annotations: [],
-    domId: MERMAID_DOM_ID_PREFIX + className + '-' + classCounter,
+    domId: MERMAID_DOM_ID_PREFIX + name + '-' + classCounter,
   } as ClassNode;
 
   classCounter++;
@@ -91,7 +96,8 @@ export const addClass = function (id: string) {
  * @param id - class ID to lookup
  * @public
  */
-export const lookUpDomId = function (id: string): string {
+export const lookUpDomId = function (_id: string): string {
+  const id = common.sanitizeText(_id, configApi.getConfig());
   if (id in classes) {
     return classes[id].domId;
   }
@@ -296,7 +302,8 @@ export const setClickEvent = function (ids: string, functionName: string, functi
   setCssClass(ids, 'clickable');
 };
 
-const setClickFunc = function (domId: string, functionName: string, functionArgs: string) {
+const setClickFunc = function (_domId: string, functionName: string, functionArgs: string) {
+  const domId = common.sanitizeText(_domId, configApi.getConfig());
   const config = configApi.getConfig();
   if (config.securityLevel !== 'loose') {
     return;