From 610f154c740e04edb8aa5d837b51654d0d898d6f Mon Sep 17 00:00:00 2001
From: Knut Sveidqvist <knut.sveidqvist@ipiccolo.com>
Date: Tue, 21 Jun 2022 21:46:37 +0200
Subject: [PATCH] Sanitizsation of incoming variables that are added to the
 userStyles

---
 cypress/platform/ghsa2.html | 28 ++++++++++++++++++++++++++++
 src/mermaidAPI.js           |  2 ++
 src/utils.js                |  8 ++++++++
 3 files changed, 38 insertions(+)
 create mode 100644 cypress/platform/ghsa2.html

diff --git a/cypress/platform/ghsa2.html b/cypress/platform/ghsa2.html
new file mode 100644
index 000000000..b4e390c6c
--- /dev/null
+++ b/cypress/platform/ghsa2.html
@@ -0,0 +1,28 @@
+<html>
+<script>
+    //      %%{ init: { "logLevel":0, "themeVariables" : { "primaryColor": "#fff000","textColor": "green","apa":"} #target { background-color: crimson }" } } }%%
+</script>
+<body>
+    <div id="target">
+        <h1>This element does not belong to the SVG but we can style it</h1>
+    </div>
+    <svg id="diagram">
+    </svg>
+
+    <script src="./mermaid.js"></script>
+    <script>
+        mermaid.initialize({ startOnLoad: false, logLevel: 0 });
+
+        const graph = `
+     %%{ init: { "fontFamily" : "&125; * { background: red }" } }%%
+            graph TD
+                A[Goose]
+            `;
+
+        const diagram = document.getElementById('diagram');
+        const svg = mermaid.render('diagram-svg', graph);
+        diagram.innerHTML = svg;
+    </script>
+</body>
+
+</html>
diff --git a/src/mermaidAPI.js b/src/mermaidAPI.js
index efa93791a..750c73cb1 100644
--- a/src/mermaidAPI.js
+++ b/src/mermaidAPI.js
@@ -385,6 +385,8 @@ const render = function (id, _txt, cb, container) {
 
   let userStyles = '';
   // user provided theme CSS
+  // If you add more configuration driven data into the user styles make sure that the value is
+  // sanitized bye the santiizeCSS function
   if (cnf.themeCSS !== undefined) {
     userStyles += `\n${cnf.themeCSS}`;
   }
diff --git a/src/utils.js b/src/utils.js
index 9b8387cc4..4d7854c22 100644
--- a/src/utils.js
+++ b/src/utils.js
@@ -1032,6 +1032,14 @@ export const directiveSanitizer = (args) => {
           log.debug('sanitizing themeCss option');
           args[key] = sanitizeCss(args[key]);
         }
+        if (key.indexOf('fontFamily') >= 0) {
+          log.debug('sanitizing fontFamily option');
+          args[key] = sanitizeCss(args[key]);
+        }
+        if (key.indexOf('altFontFamily') >= 0) {
+          log.debug('sanitizing altFontFamily option');
+          args[key] = sanitizeCss(args[key]);
+        }
         if (configKeys.indexOf(key) < 0) {
           log.debug('sanitize deleting option', key);
           delete args[key];