From 69a1bb99acd7038ce04a73ea69e119593ef41396 Mon Sep 17 00:00:00 2001 From: Knut Sveidqvist Date: Thu, 29 Jul 2021 18:05:13 +0200 Subject: [PATCH] #2209 Combining sanitasion approaches --- cypress/platform/knsv.html | 14 ++++---------- src/diagrams/common/common.js | 30 +++++++++++++++++++++++++++++- 2 files changed, 33 insertions(+), 11 deletions(-) diff --git a/cypress/platform/knsv.html b/cypress/platform/knsv.html index 0b407b88e..2f4eb532b 100644 --- a/cypress/platform/knsv.html +++ b/cypress/platform/knsv.html @@ -56,17 +56,11 @@ subgraph CompositeState end -
-stateDiagram-v2 - state CompositeState { - state AnotherCompositeState1234567890 { - YourState - } - } - -
-javascript:alert('XSS')
+graph TD + A[""] +
+
flowchart TD Link --> b click Link href "javascript:alert('XSS')" "Tooltip for diff --git a/src/diagrams/common/common.js b/src/diagrams/common/common.js index 0a22797e1..48c33a8bf 100644 --- a/src/diagrams/common/common.js +++ b/src/diagrams/common/common.js @@ -36,8 +36,36 @@ export const removeScript = (txt) => { return rs; }; +const sanitizeMore = (text, config) => { + let txt = text; + let htmlLabels = true; + if ( + config.flowchart && + (config.flowchart.htmlLabels === false || config.flowchart.htmlLabels === 'false') + ) { + htmlLabels = false; + } + + if (htmlLabels) { + const level = config.securityLevel; + + if (level === 'antiscript') { + txt = removeScript(txt); + } else if (level !== 'loose') { + // eslint-disable-line + txt = breakToPlaceholder(txt); + txt = txt.replace(//g, '>'); + txt = txt.replace(/=/g, '='); + txt = placeholderToBreak(txt); + } + } + + return txt; +}; + export const sanitizeText = (text) => { - const txt = DOMPurify.sanitize(text); + const txt = sanitizeMore(DOMPurify.sanitize(text)); + return txt; };