Checking for shenanigans in the themeCSF field

src/diagrams/common/common.js

@@ -37,6 +37,17 @@ export const removeScript = (txt) => {
   return rs;
 };
 
+/**
+ * Simple css sanitization
+ */
+export const sanitizeCSS = (css) => {
+  if (css.indexOf('url') >= 0) return '';
+  if (css.indexOf('/*') >= 0) return '';
+  if (css.indexOf('//') >= 0) return '';
+
+  return css;
+};
+
 const sanitizeMore = (text, config) => {
   let txt = text;
   let htmlLabels = true;
@@ -112,4 +123,5 @@ export default {
   removeScript,
   getUrl,
   evaluate,
+  sanitizeCSS,
 };

src/mermaidAPI.js

@@ -15,6 +15,7 @@
  */
 import { select } from 'd3';
 import { compile, serialize, stringify } from 'stylis';
+import common from './diagrams/common/common';
 import pkg from '../package.json';
 import * as configApi from './config';
 import classDb from './diagrams/class/classDb';
@@ -284,7 +285,7 @@ const render = function (id, _txt, cb, container) {
   let userStyles = '';
   // user provided theme CSS
   if (cnf.themeCSS !== undefined) {
-    userStyles += `\n${cnf.themeCSS}`;
+    userStyles += `\n${common.sanitizeCSS(cnf.themeCSS)}`;
   }
   // user provided theme CSS
   if (cnf.fontFamily !== undefined) {