test: check katex sanitization

2025-09-17 14:29:48 +02:00 · 2025-08-05 22:36:28 +05:30
parent 4ab98c2ec7
commit 8d79bc9b19
3 changed files with 17 additions and 8 deletions
--- a/cypress/helpers/util.ts
+++ b/cypress/helpers/util.ts
@@ -14,7 +14,7 @@ interface CodeObject {
  mermaid: CypressMermaidConfig;
 }

-const utf8ToB64 = (str: string): string => {
+export const utf8ToB64 = (str: string): string => {
  return Buffer.from(decodeURIComponent(encodeURIComponent(str))).toString('base64');
 };

@@ -22,7 +22,7 @@ const batchId: string =
  'mermaid-batch-' +
  (Cypress.env('useAppli')
    ? Date.now().toString()
-    : Cypress.env('CYPRESS_COMMIT') || Date.now().toString());
+    : (Cypress.env('CYPRESS_COMMIT') ?? Date.now().toString()));

 export const mermaidUrl = (
  graphStr: string | string[],
@@ -61,9 +61,7 @@ export const imgSnapshotTest = (
    sequence: {
      ...(_options.sequence ?? {}),
      actorFontFamily: 'courier',
-      noteFontFamily: _options.sequence?.noteFontFamily
-        ? _options.sequence.noteFontFamily
-        : 'courier',
+      noteFontFamily: _options.sequence?.noteFontFamily ?? 'courier',
      messageFontFamily: 'courier',
    },
  };
--- a/cypress/integration/other/xss.spec.js
+++ b/cypress/integration/other/xss.spec.js
@@ -1,4 +1,4 @@
-import { mermaidUrl } from '../../helpers/util.ts';
+import { imgSnapshotTest, mermaidUrl, utf8ToB64 } from '../../helpers/util.ts';
 describe('XSS', () => {
  it('should handle xss in tags', () => {
    const str =
@@ -141,4 +141,15 @@ describe('XSS', () => {
    cy.wait(1000);
    cy.get('#the-malware').should('not.exist');
  });
+
+  it('should sanitize katex blocks', () => {
+    const str = JSON.stringify({
+      code: `sequenceDiagram
+    participant A as Alice<img src="x" onerror="xssAttack()">$$\\text{Alice}$$
+    A->>John: Hello John, how are you?`,
+    });
+    imgSnapshotTest(utf8ToB64(str), {}, true);
+    cy.wait(1000);
+    cy.get('#the-malware').should('not.exist');
+  });
 });
--- a/cypress/platform/viewer.js
+++ b/cypress/platform/viewer.js
@@ -182,7 +182,7 @@ const contentLoadedApi = async function () {
      for (let i = 0; i < numCodes; i++) {
        const { svg, bindFunctions } = await mermaid.render('newid' + i, graphObj.code[i], divs[i]);
        div.innerHTML = svg;
-        bindFunctions(div);
+        bindFunctions?.(div);
      }
    } else {
      const div = document.createElement('div');
@@ -194,7 +194,7 @@ const contentLoadedApi = async function () {
      const { svg, bindFunctions } = await mermaid.render('newid', graphObj.code, div);
      div.innerHTML = svg;
      console.log(div.innerHTML);
-      bindFunctions(div);
+      bindFunctions?.(div);
    }
  }
 };