marcel/mermaid
1
0
Fork 0
mirror of https://github.com/mermaid-js/mermaid.git synced 2025-09-18 23:09:49 +02:00
Code Issues Packages Projects Releases Wiki Activity

Small fix

Browse Source
This commit is contained in:
Knut Sveidqvist
2022-12-08 13:21:56 +01:00
parent 90d9724d1a
commit 9b27396344
6 changed files with 173 additions and 219 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
cypress/integration/other/ghsa.spec.js
View File

@@ -7,4 +7,10 @@ describe('CSS injections', () => {
flowchart: { htmlLabels: false }, flowchart: { htmlLabels: false },
}); });
}); });
it('should not allow adding styletags affecting the page', () => {
urlSnapshotTest('http://localhost:9000/ghsa3.html', {
logLevel: 1,
flowchart: { htmlLabels: false },
});
});
}); });

2
cypress/platform/ghsa1.html
View File

@@ -4,7 +4,7 @@
</script> </script>
<body> <body>
<div id="target"> <div id="target">
<h1>This element does not belong to the SVG but we can style it</h1> <h1>Background should be yellow!!!</h1>
</div> </div>
<svg id="diagram"></svg> <svg id="diagram"></svg>

100
cypress/platform/ghsa3.html Normal file
View File

@@ -0,0 +1,100 @@
<html>
<head>
<link href="https://fonts.googleapis.com/css?family=Montserrat&display=swap" rel="stylesheet" />
<link href="https://unpkg.com/tailwindcss@^1.0/dist/tailwind.min.css" rel="stylesheet" />
<link
rel="stylesheet"
href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css"
/>
<link
href="https://fonts.googleapis.com/css?family=Noto+Sans+SC&display=swap"
rel="stylesheet"
/>
<style>
body {
/* background: rgb(221, 208, 208); */
/* background:#333; */
font-family: 'Arial';
/* font-size: 18px !important; */
}
h1 {
color: grey;
}
.mermaid2 {
display: none;
}
.mermaid svg {
/* font-size: 18px !important; */
}
.malware {
position: fixed;
bottom: 0;
left: 0;
right: 0;
height: 150px;
background: red;
color: black;
display: flex;
display: flex;
justify-content: center;
align-items: center;
font-family: monospace;
font-size: 72px;
}
</style>
</head>
<body>
<h1>PAGE SHOULD NOT BE RED</h1>
<div class="flex">
<div id="diagram" class="mermaid"></div>
<div id="res" class=""></div>
</div>
<script src="./mermaid.js"></script>
<script>
mermaid.parseError = function (err, hash) {
// console.error('Mermaid error: ', err);
};
mermaid.initialize({
theme: 'forest',
arrowMarkerAbsolute: true,
// themeCSS: '.edgePath .path {stroke: red;} .arrowheadPath {fill: red;}',
logLevel: 0,
state: {
defaultRenderer: 'dagre-wrapper',
},
flowchart: {
// defaultRenderer: 'dagre-wrapper',
nodeSpacing: 10,
curve: 'cardinal',
htmlLabels: true,
},
htmlLabels: true,
// gantt: { axisFormat: '%m/%d/%Y' },
sequence: { actorFontFamily: 'courier', actorMargin: 50, showSequenceNumbers: false },
// sequenceDiagram: { actorMargin: 300 } // deprecated
// fontFamily: '"times", sans-serif',
// fontFamily: 'courier',
fontSize: 18,
curve: 'basis',
// securityLevel: 'strict',
startOnLoad: false,
secure: ['secure', 'securityLevel', 'startOnLoad', 'maxTextSize'],
// themeVariables: {relationLabelColor: 'red'}
});
function callback() {
alert('It worked');
}
let diagram = '%%{init: {"flowchart": {"htmlLabels": "true"}} }%%\n';
diagram += 'flowchart\n';
diagram += 'A["<p><sty';
diagram += 'le> * { background : red}</style>test</p>"]';
console.log(diagram);
// document.querySelector('#diagram').innerHTML = diagram;
mermaid.render('diagram', diagram, (res) => {
document.querySelector('#res').innerHTML = res;
});
</script>
</body>
</html>

276
cypress/platform/knsv3.html
View File

@@ -6,6 +6,10 @@
rel="stylesheet" rel="stylesheet"
href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css"
/> />
<link
href="https://cdn.jsdelivr.net/npm/@mdi/font@6.9.96/css/materialdesignicons.min.css"
rel="stylesheet"
/>
<link <link
href="https://fonts.googleapis.com/css?family=Noto+Sans+SC&display=swap" href="https://fonts.googleapis.com/css?family=Noto+Sans+SC&display=swap"
rel="stylesheet" rel="stylesheet"
@@ -14,7 +18,7 @@
body { body {
/* background: rgb(221, 208, 208); */ /* background: rgb(221, 208, 208); */
/* background:#333; */ /* background:#333; */
font-family: 'Courier New', Courier, monospace; font-family: 'Arial';
/* font-size: 18px !important; */ /* font-size: 18px !important; */
} }
h1 { h1 {
@@ -23,235 +27,77 @@
.mermaid2 { .mermaid2 {
display: none; display: none;
} }
.mermaid { .mermaid svg {
border: 1px solid red;
font-family: 'Courier New', Courier, monospace;
/* font-size: 18px !important; */ /* font-size: 18px !important; */
background-color: #eee;
background-image: radial-gradient(#fff 1%, transparent 11%),
radial-gradient(#fff 1%, transparent 11%);
background-size: 20px 20px;
background-position: 0 0, 10px 10px;
background-repeat: repeat;
}
.malware {
position: fixed;
bottom: 0;
left: 0;
right: 0;
height: 150px;
background: red;
color: black;
display: flex;
display: flex;
justify-content: center;
align-items: center;
font-family: monospace;
font-size: 72px;
} }
</style> </style>
</head> </head>
<body> <body>
<div>info below</div> <div>Security check</div>
<div class=""> <pre id="diagram" class="mermaid">
<pre class="mermaid2" style="width: 100%; height: 400px">
flowchart TB;subgraph "number as labels";1;end;
</pre>
<pre class="mermaid2" style="width: 100%; height: 400px">
flowchart TB;a[APA];
</pre>
<pre class="mermaid2" style="margin-left: 100px">
graph TD
work --> sleep
sleep --> work
eat --> sleep
work --> eat
</pre>
<pre class="mermaid2" style="margin-left: 100px">
flowchart TD
work --> sleep
sleep --> work
eat --> sleep
work --> eat
</pre>
<pre class="mermaid2" style="">
graph TB
A
B
subgraph foo[Foo SubGraph]
C
D
end
subgraph bar[Bar SubGraph]
E
F
end
G
A-->B
B-->C
C-->D
B-->D
D-->E
E-->A
E-->F
F-->D
F-->G
B-->G
G-->D
style foo fill:#F99,stroke-width:2px,stroke:#F0F,color:darkred
style bar fill:#999,stroke-width:2px,stroke:#0F0,color:blue
</pre>
<pre class="mermaid2" style="">
graph TB
%%{init: { "logLevel": 1, "flowchart": {"htmlLabels":true }} }%%
A
B
subgraph foo[Foo SubGraph]
C
D
end
subgraph bar[Bar SubGraph]
E
F
end
G
A-->B
B-->C
C-->D
B-->D
D-->E
E-->A
E-->F
F-->D
F-->G
B-->G
G-->D
style foo fill:#F99,stroke-width:2px,stroke:#F0F,color:darkred
style bar fill:#999,stroke-width:10px,stroke:#0F0,color:blue
</pre>
<pre class="mermaid2" style="">
graph TD graph TD
A[Christmas] ==> D A["test"] --"<p><style> * { display : none}</style>test</p>"--> B
A[Christmas] -->|Get money| B(Go shopping) </pre>
A[Christmas] ==> C
</pre> <!-- <div id="cy"></div> -->
<pre class="mermaid2" style=""> <!-- <script src="http://localhost:9000/packages/mermaid-mindmap/dist/mermaid-mindmap-detector.js"></script> -->
graph TD <!-- <script src="./mermaid-example-diagram-detector.js"></script> -->
%%{init: { "logLevel": 1, "flowchart": {"htmlLabels":true }} }%% <!-- <script src="//cdn.jsdelivr.net/npm/mermaid@9.1.7/dist/mermaid.min.js"></script> -->
A[Christmas] ==> D <!-- <script src="./mermaid.js"></script> -->
A[Christmas] -->|Get money| B(Go shopping)
A[Christmas] ==> C <script type="module">
</pre> import mindmap from '../../packages/mermaid-mindmap/src/detector';
<pre class="mermaid2" style=""> // import example from '../../packages/mermaid-example-diagram/src/detector';
flowchart TD import mermaid from '../../packages/mermaid/src/mermaid';
A[Christmas] ==> D await mermaid.registerExternalDiagrams([mindmap]);
A[Christmas] -->|Get money| B(Go shopping)
A[Christmas] ==> C
</pre>
<pre class="mermaid2" style="">
flowchart TD
%%{init: { "logLevel": 1, "flowchart": {"htmlLabels":true }} }%%
A[Christmas] ==> D
A[Christmas] -->|Get money| B(Go shopping)
A[Christmas] ==> C
</pre>
<pre class="mermaid2" style="">
flowchart LR
a["<strong>Haiya</strong>"]---->b
</pre>
<pre class="mermaid" style="">
flowchart LR
%%{init: { "logLevel": 1, "flowchart": {"htmlLabels":true }} }%%
a["<strong>Haiya</strong>"]---->b
</pre>
<pre class="mermaid2" style="">
flowchart TD
A[Christmas] ==> D
A[Christmas] -->|Get money| B(Go shopping)
A[Christmas] ==> C
</pre>
<pre class="mermaid2" style="">
flowchart TD
%%{init: { "logLevel": 1, "flowchart": {"htmlLabels":true }} }%%
A[Christmas] ==> D
A[Christmas] -->|Get money| B(Go shopping)
A[Christmas] ==> C
</pre>
<pre class="mermaid2" style="">
%%{init: { "logLevel": 1, "flowchart": {"htmlLabels":true }} }%%
classDiagram-v2
Class01 <|-- AveryLongClass : Cool
&lt;&lt;interface&gt;&gt; Class01
Class03 *-- Class04
Class05 o-- Class06
Class07 .. Class08
Class09 --> C2 : Where am i?
Class09 --* C3
Class09 --|> Class07
Class12 <|.. Class08
Class11 ..>Class12
Class07 : equals()
Class07 : Object[] elementData
Class01 : size()
Class01 : int chimp
Class01 : int gorilla
Class01 : -int privateChimp
Class01 : +int publicGorilla
Class01 : #int protectedMarmoset
Class08 <--> C2: Cool label
class Class10 {
&lt;&lt;service&gt;&gt;
int id
test()
}
</pre>
<pre class="mermaid2" style="">
classDiagram-v2
Class01 <|-- AveryLongClass : Cool
&lt;&lt;interface&gt;&gt; Class01
Class03 *-- Class04
Class05 o-- Class06
Class07 .. Class08
Class09 --> C2 : Where am i?
Class09 --* C3
Class09 --|> Class07
Class12 <|.. Class08
Class11 ..>Class12
Class07 : equals()
Class07 : Object[] elementData
Class01 : size()
Class01 : int chimp
Class01 : int gorilla
Class01 : -int privateChimp
Class01 : +int publicGorilla
Class01 : #int protectedMarmoset
Class08 <--> C2: Cool label
class Class10 {
&lt;&lt;service&gt;&gt;
int id
test()
}
</pre>
<pre class="mermaid" style="">
flowchart BT
subgraph S1
sub1 -->sub2
end
subgraph S2
sub4
end
S1 --> S2
sub1 --> sub4
</pre>
</div>
<script src="./mermaid.js"></script>
<script>
mermaid.parseError = function (err, hash) { mermaid.parseError = function (err, hash) {
// console.error('Mermaid error: ', err); // console.error('Mermaid error: ', err);
}; };
mermaid.initialize({ mermaid.initialize({
// theme: 'neutral', theme: 'default',
// arrowMarkerAbsolute: true, startOnLoad: true,
// themeCSS: '.edgePath .path {stroke: red;} .arrowheadPath {fill: red;}',
logLevel: 0, logLevel: 0,
flowchart: { curve: 'cardinal', htmlLabels: false }, flowchart: {
// htmlLabels: true, useMaxWidth: false,
// gantt: { axisFormat: '%m/%d/%Y' }, htmlLabels: true,
// sequence: { actorFontFamily: 'courier', actorMargin: 50, showSequenceNumbers: false }, },
// sequenceDiagram: { actorMargin: 300 } // deprecated gantt: {
// fontFamily: '"times", sans-serif', useMaxWidth: false,
fontFamily: 'courier', },
// fontSize: 18, useMaxWidth: false,
// curve: 'cardinal',
securityLevel: 'loose',
// themeVariables: {relationLabelColor: 'red'}
}); });
function callback() { function callback() {
alert('It worked'); alert('It worked');
} }
mermaid.parseError = function (err, hash) {
console.error('In parse error:');
console.error(err);
};
// mermaid.test1('first_slow', 1200).then((r) => console.info(r));
// mermaid.test1('second_fast', 200).then((r) => console.info(r));
// mermaid.test1('third_fast', 200).then((r) => console.info(r));
// mermaid.test1('forth_slow', 1200).then((r) => console.info(r));
</script> </script>
</body> </body>
</html> </html>

4
packages/mermaid/src/diagrams/common/common.ts
View File

@@ -47,7 +47,9 @@ export const sanitizeText = (text: string, config: MermaidConfig): string => {
if (config.dompurifyConfig) { if (config.dompurifyConfig) {
text = DOMPurify.sanitize(sanitizeMore(text, config), config.dompurifyConfig).toString(); text = DOMPurify.sanitize(sanitizeMore(text, config), config.dompurifyConfig).toString();
} else { } else {
text = DOMPurify.sanitize(sanitizeMore(text, config)); text = DOMPurify.sanitize(sanitizeMore(text, config), {
FORBID_TAGS: ['style'],
}).toString();
} }
return text; return text;
}; };

4
packages/mermaid/src/mermaidAPI.ts
View File

@@ -536,7 +536,7 @@ const render = function (
if (isSandboxed) { if (isSandboxed) {
const svgEl = root.select(enclosingDivID_selector + ' svg').node(); const svgEl = root.select(enclosingDivID_selector + ' svg').node();
svgCode = putIntoIFrame(svgCode, svgEl); svgCode = putIntoIFrame(svgCode, svgEl);
} else if (isLooseSecurityLevel) { } else if (!isLooseSecurityLevel) {
// Sanitize the svgCode using DOMPurify // Sanitize the svgCode using DOMPurify
svgCode = DOMPurify.sanitize(svgCode, { svgCode = DOMPurify.sanitize(svgCode, {
ADD_TAGS: DOMPURE_TAGS, ADD_TAGS: DOMPURE_TAGS,
@@ -738,7 +738,7 @@ const renderAsync = async function (
if (isSandboxed) { if (isSandboxed) {
const svgEl = root.select(enclosingDivID_selector + ' svg').node(); const svgEl = root.select(enclosingDivID_selector + ' svg').node();
svgCode = putIntoIFrame(svgCode, svgEl); svgCode = putIntoIFrame(svgCode, svgEl);
} else if (isLooseSecurityLevel) { } else if (!isLooseSecurityLevel) {
// Sanitize the svgCode using DOMPurify // Sanitize the svgCode using DOMPurify
svgCode = DOMPurify.sanitize(svgCode, { svgCode = DOMPurify.sanitize(svgCode, {
ADD_TAGS: DOMPURE_TAGS, ADD_TAGS: DOMPURE_TAGS,