mirror of
https://github.com/mermaid-js/mermaid.git
synced 2025-09-12 20:09:46 +02:00
Fix for issue with links from actors
This commit is contained in:
Knut Sveidqvist
@@ -70,7 +70,7 @@
|
||||
// fontFamily: 'courier',
|
||||
fontSize: 18,
|
||||
curve: 'basis',
|
||||
securityLevel: 'strict ',
|
||||
securityLevel: 'strict',
|
||||
startOnLoad: false,
|
||||
secure: ['secure', 'securityLevel', 'startOnLoad', 'maxTextSize'],
|
||||
// themeVariables: {relationLabelColor: 'red'}
|
||||
@@ -90,7 +90,7 @@
|
||||
var diagram = `sequenceDiagram
|
||||
participant John
|
||||
links John: {"XSS": "javas`;
|
||||
diagram += 'cript:alert(window.opener.document.domain)"}';
|
||||
diagram += `cript:alert('AudioParam')"}`;
|
||||
|
||||
// var diagram = "stateDiagram-v2\n";
|
||||
// diagram += "<img/src='1'/onerror"
|
||||
|
||||
@@ -13,6 +13,24 @@ export const getRows = (s) => {
|
||||
return str.split('#br#');
|
||||
};
|
||||
|
||||
export const removeEscapes = (text) => {
|
||||
let newStr = text.replace(/\\u[\dA-F]{4}/gi, function (match) {
|
||||
return String.fromCharCode(parseInt(match.replace(/\\u/g, ''), 16));
|
||||
});
|
||||
|
||||
console.log(newStr);
|
||||
|
||||
newStr = newStr.replace(/\\x([0-9a-f]{2})/gi, (_, c) => String.fromCharCode(parseInt(c, 16)));
|
||||
newStr = newStr.replace(/\\[\d\d\d]{3}/gi, function (match) {
|
||||
return String.fromCharCode(parseInt(match.replace(/\\/g, ''), 8));
|
||||
});
|
||||
newStr = newStr.replace(/\\[\d\d\d]{2}/gi, function (match) {
|
||||
return String.fromCharCode(parseInt(match.replace(/\\/g, ''), 8));
|
||||
});
|
||||
|
||||
return newStr;
|
||||
};
|
||||
|
||||
/**
|
||||
* Removes script tags from a text
|
||||
*
|
||||
@@ -40,13 +58,12 @@ export const removeScript = (txt) => {
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
rs = rs.replace(/script>/gi, '#');
|
||||
rs = rs.replace(/script>/gi, '#');
|
||||
rs = rs.replace(/javascript:/gi, '#');
|
||||
rs = rs.replace(/onerror=/gi, 'onerror:');
|
||||
rs = rs.replace(/<iframe/gi, '');
|
||||
return rs;
|
||||
let decodedText = removeEscapes(rs);
|
||||
decodedText = decodedText.replace(/script>/gi, '#');
|
||||
decodedText = decodedText.replace(/javascript:/gi, '#');
|
||||
decodedText = decodedText.replace(/onerror=/gi, 'onerror:');
|
||||
decodedText = decodedText.replace(/<iframe/gi, '');
|
||||
return decodedText;
|
||||
};
|
||||
|
||||
const sanitizeMore = (text, config) => {
|
||||
@@ -62,7 +79,7 @@ const sanitizeMore = (text, config) => {
|
||||
if (htmlLabels) {
|
||||
const level = config.securityLevel;
|
||||
|
||||
if (level === 'antiscript') {
|
||||
if (level === 'antiscript' || level === 'strict') {
|
||||
txt = removeScript(txt);
|
||||
} else if (level !== 'loose') {
|
||||
// eslint-disable-line
|
||||
@@ -171,4 +188,5 @@ export default {
|
||||
removeScript,
|
||||
getUrl,
|
||||
evaluate,
|
||||
removeEscapes,
|
||||
};
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
import { removeScript } from './common';
|
||||
import { removeScript, removeEscapes } from './common';
|
||||
|
||||
describe('when securityLevel is antiscript, all script must be removed', function () {
|
||||
it('should remove all script block, script inline.', function () {
|
||||
@@ -24,3 +24,48 @@ describe('when securityLevel is antiscript, all script must be removed', functio
|
||||
expect(isEqual).toEqual(true);
|
||||
});
|
||||
});
|
||||
|
||||
describe('remove escape code in text', function () {
|
||||
it('should remove a unicode colon', function () {
|
||||
const labelString = '\\u003A';
|
||||
|
||||
const result = removeEscapes(labelString);
|
||||
expect(result).toEqual(':');
|
||||
});
|
||||
it('should remove a hex colon', function () {
|
||||
const labelString = '\\x3A';
|
||||
|
||||
const result = removeEscapes(labelString);
|
||||
expect(result).toEqual(':');
|
||||
});
|
||||
it('should remove a oct colon', function () {
|
||||
const labelString = '\\72';
|
||||
|
||||
const result = removeEscapes(labelString);
|
||||
expect(result).toEqual(':');
|
||||
});
|
||||
it('should remove a oct colon 3 numbers', function () {
|
||||
const labelString = '\\072';
|
||||
|
||||
const result = removeEscapes(labelString);
|
||||
expect(result).toEqual(':');
|
||||
});
|
||||
it('should remove multiple colons 3 numbers', function () {
|
||||
const labelString = '\\072\\072\\72';
|
||||
|
||||
const result = removeEscapes(labelString);
|
||||
expect(result).toEqual(':::');
|
||||
});
|
||||
it('should handle greater and smaller then', function () {
|
||||
const labelString = '\\74\\076';
|
||||
|
||||
const result = removeEscapes(labelString);
|
||||
expect(result).toEqual('<>');
|
||||
});
|
||||
it('should handle letters', function () {
|
||||
const labelString = '\\u0073\\143ri\\x70\\u0074\\x3A';
|
||||
|
||||
const result = removeEscapes(labelString);
|
||||
expect(result).toEqual('script:');
|
||||
});
|
||||
});
|
||||
|
||||
Reference in New Issue
Block a user