diff --git a/cypress/platform/knsv.html b/cypress/platform/knsv.html
index 0b407b88e..2f4eb532b 100644
--- a/cypress/platform/knsv.html
+++ b/cypress/platform/knsv.html
@@ -56,17 +56,11 @@ subgraph CompositeState
end
-
-stateDiagram-v2
- state CompositeState {
- state AnotherCompositeState1234567890 {
- YourState
- }
- }
-
-
-javascript:alert('XSS')
+graph TD
+ A["
"]
+
flowchart TD
Link --> b
click Link href "javascript:alert('XSS')" "Tooltip for
diff --git a/src/diagrams/common/common.js b/src/diagrams/common/common.js
index 0a22797e1..f23add312 100644
--- a/src/diagrams/common/common.js
+++ b/src/diagrams/common/common.js
@@ -36,8 +36,36 @@ export const removeScript = (txt) => {
return rs;
};
-export const sanitizeText = (text) => {
- const txt = DOMPurify.sanitize(text);
+const sanitizeMore = (text, config) => {
+ let txt = text;
+ let htmlLabels = true;
+ if (
+ config.flowchart &&
+ (config.flowchart.htmlLabels === false || config.flowchart.htmlLabels === 'false')
+ ) {
+ htmlLabels = false;
+ }
+
+ if (htmlLabels) {
+ const level = config.securityLevel;
+
+ if (level === 'antiscript') {
+ txt = removeScript(txt);
+ } else if (level !== 'loose') {
+ // eslint-disable-line
+ txt = breakToPlaceholder(txt);
+ txt = txt.replace(//g, '>');
+ txt = txt.replace(/=/g, '=');
+ txt = placeholderToBreak(txt);
+ }
+ }
+
+ return txt;
+};
+
+export const sanitizeText = (text, config) => {
+ const txt = sanitizeMore(DOMPurify.sanitize(text), config);
+
return txt;
};
@@ -50,7 +78,9 @@ export const hasBreaks = (text) => {
export const splitBreaks = (text) => {
return text.split(//gi);
};
-
+const placeholderToBreak = (s) => {
+ return s.replace(/#br#/g, '
');
+};
const breakToPlaceholder = (s) => {
return s.replace(lineBreakRegex, '#br#');
};
diff --git a/src/diagrams/flowchart/parser/flow-singlenode.spec.js b/src/diagrams/flowchart/parser/flow-singlenode.spec.js
index 46df523b4..15f7cc169 100644
--- a/src/diagrams/flowchart/parser/flow-singlenode.spec.js
+++ b/src/diagrams/flowchart/parser/flow-singlenode.spec.js
@@ -121,7 +121,7 @@ describe('[Singlenodes] when parsing', () => {
expect(edges.length).toBe(0);
expect(vert['a'].type).toBe('diamond');
- expect(vert['a'].text).toBe('A
end');
+ expect(vert['a'].text).toBe('A
end');
});
it('should handle a single hexagon node', function() {
@@ -144,7 +144,7 @@ describe('[Singlenodes] when parsing', () => {
expect(edges.length).toBe(0);
expect(vert['a'].type).toBe('hexagon');
- expect(vert['a'].text).toBe('A
end');
+ expect(vert['a'].text).toBe('A
end');
});
it('should handle a single round node with html in it', function() {
@@ -156,7 +156,7 @@ describe('[Singlenodes] when parsing', () => {
expect(edges.length).toBe(0);
expect(vert['a'].type).toBe('round');
- expect(vert['a'].text).toBe('A
end');
+ expect(vert['a'].text).toBe('A
end');
});
it('should handle a single node with alphanumerics starting on a char', function() {
diff --git a/src/diagrams/flowchart/parser/flow-text.spec.js b/src/diagrams/flowchart/parser/flow-text.spec.js
index b5c8a6eab..61703000a 100644
--- a/src/diagrams/flowchart/parser/flow-text.spec.js
+++ b/src/diagrams/flowchart/parser/flow-text.spec.js
@@ -328,7 +328,7 @@ describe('[Text] when parsing', () => {
const edges = flow.parser.yy.getEdges();
expect(vert['C'].type).toBe('round');
- expect(vert['C'].text).toBe('Chimpansen hoppar åäö
- ÅÄÖ');
+ expect(vert['C'].text).toBe('Chimpansen hoppar åäö
- ÅÄÖ');
});
// xit('it should handle åäö, minus and space and br',function(){
// const res = flow.parser.parse('graph TD; A[Object(foo,bar)]-->B(Thing);');