From 73ff972789b142a2c95c52d3b3dcf4a1e6f38648 Mon Sep 17 00:00:00 2001
From: Knut Sveidqvist <knut.sveidqvist@ipiccolo.com>
Date: Tue, 3 Aug 2021 20:10:15 +0200
Subject: [PATCH] #2219 Moving check earlier in the chain for better effect

---
 cypress/platform/knsv.html    | 16 +++++++++++++---
 cypress/platform/xss2.html    |  6 ++++++
 src/diagrams/common/common.js |  1 -
 src/utils.js                  |  9 ++++++++-
 4 files changed, 27 insertions(+), 5 deletions(-)

diff --git a/cypress/platform/knsv.html b/cypress/platform/knsv.html
index 2f4eb532b..50b3c0607 100644
--- a/cypress/platform/knsv.html
+++ b/cypress/platform/knsv.html
@@ -57,9 +57,19 @@ subgraph CompositeState
 end
 </div>
 <div class="mermaid" style="width: 100%; height: 20%;">
-graph TD
-  A["<img src=`https://via.placeholder.com/64/`>"]
+%%{init: { '__proto__': {'vuln': 'test'}} }%%
+%%{init: { '__proto__': {'vuln': 'test'}} }%%
+
+sequenceDiagram
+Alice->>Bob: Hi Bob
+Bob->>Alice: Hi Alice
 </div>
+    <div class="mermaid">
+      %%{init: { 'theme':'base', '__proto__': {'polluted': 'asdf'}} }%%
+      %%{init: { 'theme':'base', '__proto__': {'polluted': 'asdf'}} }%%
+      graph LR
+          A --> B
+    </div>
 <div class="mermaid2" style="width: 100%; height: 20%;">
 flowchart TD
   Link --> b
@@ -121,7 +131,7 @@ YourState
         logLevel:0,
         fontSize: 18,
         curve: 'cardinal',
-        securityLevel: 'loose',
+        securityLevel: 'strict',
         // themeVariables: {relationLabelColor: 'red'}
       });
       function callback(){alert('It worked');}
diff --git a/cypress/platform/xss2.html b/cypress/platform/xss2.html
index 3e4c0790b..0774023ff 100644
--- a/cypress/platform/xss2.html
+++ b/cypress/platform/xss2.html
@@ -38,6 +38,12 @@
       graph LR
           A --> B
     </div>
+    <div class="mermaid">
+      %%{init: { 'theme':'base', '__proto__': {'polluted': 'asdf'}} }%%
+      %%{init: { 'theme':'base', '__proto__': {'polluted': 'asdf'}} }%%
+      graph LR
+          A --> B
+    </div>
     <script src="./mermaid.js"></script>
     <script>
       mermaid.initialize({
diff --git a/src/diagrams/common/common.js b/src/diagrams/common/common.js
index f23add312..c0b53378b 100644
--- a/src/diagrams/common/common.js
+++ b/src/diagrams/common/common.js
@@ -65,7 +65,6 @@ const sanitizeMore = (text, config) => {
 
 export const sanitizeText = (text, config) => {
   const txt = sanitizeMore(DOMPurify.sanitize(text), config);
-
   return txt;
 };
 
diff --git a/src/utils.js b/src/utils.js
index fda8d2c73..9cd46a485 100644
--- a/src/utils.js
+++ b/src/utils.js
@@ -71,6 +71,14 @@ export const detectInit = function (text, cnf) {
   let results = {};
   if (Array.isArray(inits)) {
     let args = inits.map((init) => init.args);
+    Object.keys(args).forEach((argKey) => {
+      Object.keys(args[argKey]).forEach((key) => {
+        if (key.indexOf('__') === 0) {
+          log.debug('sanitize deleting prototype option', args[key]);
+          delete args[argKey][key];
+        }
+      });
+    });
     results = assignWithDepth(results, [...args]);
   } else {
     results = inits.args;
@@ -173,7 +181,6 @@ export const detectDirective = function (text, type = null) {
  */
 export const detectType = function (text, cnf) {
   text = text.replace(directive, '').replace(anyComment, '\n');
-  log.debug('Detecting diagram type based on the text ' + text);
   if (text.match(/^\s*sequenceDiagram/)) {
     return 'sequence';
   }