marcel/mermaid
1
0
Fork 0
mirror of https://github.com/mermaid-js/mermaid.git synced 2025-09-18 14:59:53 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' into develop

Browse Source
This commit is contained in:
Knut Sveidqvist
2021-03-13 16:45:27 +01:00
parent 5f841d98bc b9d90339ac
commit 4e7ecb3f30
13 changed files with 482 additions and 236 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
src/config.js
View File

@@ -135,6 +135,7 @@ export const getConfig = () => {
* @param options - the potential setConfig parameter
*/
export const sanitize = options => {
// Checking that options are not in the list of excluded options
Object.keys(siteConfig.secure).forEach(key => {
if (typeof options[siteConfig.secure[key]] !== 'undefined') {
// DO NOT attempt to print options[siteConfig.secure[key]] within `${}` as a malicious script
@@ -146,6 +147,29 @@ export const sanitize = options => {
delete options[siteConfig.secure[key]];
}
});
// Check that there no attempts of prototype pollution
Object.keys(options).forEach(key => {
if (key.indexOf('__') === 0) {
delete options[key];
}
});
// Check that there no attempts of xss, there should be no tags at all in the directive
// blocking data urls as base64 urls can contain svgs with inline script tags
Object.keys(options).forEach(key => {
if (typeof options[key] === 'string') {
if (
options[key].indexOf('<') > -1 ||
options[key].indexOf('>') > -1 ||
options[key].indexOf('url(data:') > -1
) {
delete options[key];
}
}
if (typeof options[key] === 'object') {
sanitize(options[key]);
}
});
};
export const addDirective = directive => {