marcel/mermaid
1
0
Fork 0
mirror of https://github.com/mermaid-js/mermaid.git synced 2025-09-17 14:29:48 +02:00
Code Issues Packages Projects Releases Wiki Activity

#2219 Moving check earlier in the chain for better effect

Browse Source
This commit is contained in:
Knut Sveidqvist
2021-08-03 20:10:15 +02:00
parent 68cd425950
commit 73ff972789
4 changed files with 27 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
cypress/platform/knsv.html
View File

@@ -57,8 +57,18 @@ subgraph CompositeState
end end
</div> </div>
<div class="mermaid" style="width: 100%; height: 20%;"> <div class="mermaid" style="width: 100%; height: 20%;">
graph TD %%{init: { '__proto__': {'vuln': 'test'}} }%%
A["<img src=`https://via.placeholder.com/64/`>"] %%{init: { '__proto__': {'vuln': 'test'}} }%%
sequenceDiagram
Alice->>Bob: Hi Bob
Bob->>Alice: Hi Alice
</div>
<div class="mermaid">
%%{init: { 'theme':'base', '__proto__': {'polluted': 'asdf'}} }%%
%%{init: { 'theme':'base', '__proto__': {'polluted': 'asdf'}} }%%
graph LR
A --> B
</div> </div>
<div class="mermaid2" style="width: 100%; height: 20%;"> <div class="mermaid2" style="width: 100%; height: 20%;">
flowchart TD flowchart TD
@@ -121,7 +131,7 @@ YourState
logLevel:0, logLevel:0,
fontSize: 18, fontSize: 18,
curve: 'cardinal', curve: 'cardinal',
securityLevel: 'loose', securityLevel: 'strict',
// themeVariables: {relationLabelColor: 'red'} // themeVariables: {relationLabelColor: 'red'}
}); });
function callback(){alert('It worked');} function callback(){alert('It worked');}

6
cypress/platform/xss2.html
View File

@@ -38,6 +38,12 @@
graph LR graph LR
A --> B A --> B
</div> </div>
<div class="mermaid">
%%{init: { 'theme':'base', '__proto__': {'polluted': 'asdf'}} }%%
%%{init: { 'theme':'base', '__proto__': {'polluted': 'asdf'}} }%%
graph LR
A --> B
</div>
<script src="./mermaid.js"></script> <script src="./mermaid.js"></script>
<script> <script>
mermaid.initialize({ mermaid.initialize({

1
src/diagrams/common/common.js
View File

@@ -65,7 +65,6 @@ const sanitizeMore = (text, config) => {
export const sanitizeText = (text, config) => { export const sanitizeText = (text, config) => {
const txt = sanitizeMore(DOMPurify.sanitize(text), config); const txt = sanitizeMore(DOMPurify.sanitize(text), config);
return txt; return txt;
}; };

9
src/utils.js
View File

@@ -71,6 +71,14 @@ export const detectInit = function (text, cnf) {
let results = {}; let results = {};
if (Array.isArray(inits)) { if (Array.isArray(inits)) {
let args = inits.map((init) => init.args); let args = inits.map((init) => init.args);
Object.keys(args).forEach((argKey) => {
Object.keys(args[argKey]).forEach((key) => {
if (key.indexOf('__') === 0) {
log.debug('sanitize deleting prototype option', args[key]);
delete args[argKey][key];
}
});
});
results = assignWithDepth(results, [...args]); results = assignWithDepth(results, [...args]);
} else { } else {
results = inits.args; results = inits.args;
@@ -173,7 +181,6 @@ export const detectDirective = function (text, type = null) {
*/ */
export const detectType = function (text, cnf) { export const detectType = function (text, cnf) {
text = text.replace(directive, '').replace(anyComment, '\n'); text = text.replace(directive, '').replace(anyComment, '\n');
log.debug('Detecting diagram type based on the text ' + text);
if (text.match(/^\s*sequenceDiagram/)) { if (text.match(/^\s*sequenceDiagram/)) {
return 'sequence'; return 'sequence';
} }