Merge branch 'develop' into 2732_accesible_charts

src/config.js

@@ -27,7 +27,7 @@ export const updateCurrentConfig = (siteCfg, _directives) => {
 
   cfg = assignWithDepth(cfg, sumOfDirectives);
 
-  if (sumOfDirectives.theme) {
+  if (sumOfDirectives.theme && theme[sumOfDirectives.theme]) {
     const tmpConfigFromInitialize = assignWithDepth({}, configFromInitialize);
     const themeVariables = assignWithDepth(
       tmpConfigFromInitialize.themeVariables || {},
@@ -59,7 +59,7 @@ export const setSiteConfig = (conf) => {
   siteConfig = assignWithDepth({}, defaultConfig);
   siteConfig = assignWithDepth(siteConfig, conf);
 
-  if (conf.theme) {
+  if (conf.theme && theme[conf.theme]) {
     siteConfig.themeVariables = theme[conf.theme].getThemeVariables(conf.themeVariables);
   }
 

src/diagrams/class/classDb.js

@@ -335,7 +335,7 @@ const setupToolTips = function (element) {
 
       tooltipElem.transition().duration(200).style('opacity', '.9');
       tooltipElem
-        .html(el.attr('title'))
+        .text(el.attr('title'))
         .style('left', window.scrollX + rect.left + (rect.right - rect.left) / 2 + 'px')
         .style('top', window.scrollY + rect.top - 14 + document.body.scrollTop + 'px');
       el.classed('hover', true);

src/diagrams/common/common.js

@@ -57,11 +57,11 @@ export const removeScript = (txt) => {
     }
   }
   let decodedText = removeEscapes(rs);
-  decodedText = decodedText.replace(/script>/gi, '#');
-  decodedText = decodedText.replace(/javascript:/gi, '#');
-  decodedText = decodedText.replace(/javascript&colon/gi, '#');
-  decodedText = decodedText.replace(/onerror=/gi, 'onerror:');
-  decodedText = decodedText.replace(/<iframe/gi, '');
+  decodedText = decodedText.replaceAll(/script>/gi, '#');
+  decodedText = decodedText.replaceAll(/javascript:/gi, '#');
+  decodedText = decodedText.replaceAll(/javascript&colon/gi, '#');
+  decodedText = decodedText.replaceAll(/onerror=/gi, 'onerror:');
+  decodedText = decodedText.replaceAll(/<iframe/gi, '');
   return decodedText;
 };
 

src/diagrams/common/common.spec.js

@@ -1,6 +1,14 @@
 import { sanitizeText, removeScript, removeEscapes } from './common';
 
 describe('when securityLevel is antiscript, all script must be removed', function () {
+  /**
+   * @param {string} original The original text
+   * @param {string} result The expected sanitized text
+   */
+  function compareRemoveScript(original, result) {
+    expect(removeScript(original)).toEqual(result);
+  }
+
   it('should remove all script block, script inline.', function () {
     const labelString = `1
 		Act1: Hello 1<script src="http://abc.com/script1.js"></script>1
@@ -9,19 +17,34 @@ describe('when securityLevel is antiscript, all script must be removed', functio
 			alert('script run......');
 		</script>1
 	1`;
-
-    const result = removeScript(labelString);
-    const hasScript = result.indexOf('script') >= 0;
-    expect(hasScript).toEqual(false);
-
     const exactlyString = `1
 		Act1: Hello 11
 		<b>Act2</b>:
 		11
 	1`;
+    compareRemoveScript(labelString, exactlyString);
+  });
 
-    const isEqual = result == exactlyString;
-    expect(isEqual).toEqual(true);
+  it('should remove all javascript urls', function () {
+    compareRemoveScript(
+      `This is a <a href="javascript:runHijackingScript();">clean link</a> + <a href="javascript:runHijackingScript();">clean link</a>
+  and <a href="javascript&colon;bipassedMining();">me too</a>`,
+      `This is a <a href="#runHijackingScript();">clean link</a> + <a href="#runHijackingScript();">clean link</a>
+  and <a href="#;bipassedMining();">me too</a>`
+    );
+  });
+
+  it('should detect malicious images', function () {
+    compareRemoveScript(`<img onerror="alert('hello');">`, `<img onerror:"alert('hello');">`);
+  });
+
+  it('should detect iframes', function () {
+    compareRemoveScript(
+      `<iframe src="http://abc.com/script1.js"></iframe>
+    <iframe src="http://example.com/iframeexample"></iframe>`,
+      ` src="http://abc.com/script1.js"></iframe>
+     src="http://example.com/iframeexample"></iframe>`
+    );
   });
 });
 

src/diagrams/flowchart/flowDb.js

@@ -406,7 +406,7 @@ const setupToolTips = function (element) {
 
       tooltipElem.transition().duration(200).style('opacity', '.9');
       tooltipElem
-        .html(el.attr('title'))
+        .text(el.attr('title'))
         .style('left', window.scrollX + rect.left + (rect.right - rect.left) / 2 + 'px')
         .style('top', window.scrollY + rect.top - 14 + document.body.scrollTop + 'px');
       el.classed('hover', true);

src/jison/transformer.js

@@ -2,6 +2,6 @@ const { Generator } = require('jison');
 
 module.exports = {
   process(sourceText, sourcePath, options) {
-    return new Generator(sourceText, options.transformerConfig).generate();
+    return { code: new Generator(sourceText, options.transformerConfig).generate() };
   },
 };

src/mermaidAPI.js

@@ -69,6 +69,7 @@ import DOMPurify from 'dompurify';
  * @returns {any}
  */
 function parse(text) {
+  text = text + '\n';
   const cnf = configApi.getConfig();
   const graphInit = utils.detectInit(text, cnf);
   if (graphInit) {