From a7b7554749e220e935ffcf75f3f60bdfb9379ffc Mon Sep 17 00:00:00 2001
From: Knut Sveidqvist <knut.sveidqvist@ipiccolo.com>
Date: Sun, 15 Aug 2021 17:39:01 +0200
Subject: [PATCH] Checking for shenanigans in the themeCSF field

---
 src/diagrams/common/common.js | 12 ++++++++++++
 src/mermaidAPI.js             |  3 ++-
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/src/diagrams/common/common.js b/src/diagrams/common/common.js
index b95ea7784..3ad8f2382 100644
--- a/src/diagrams/common/common.js
+++ b/src/diagrams/common/common.js
@@ -37,6 +37,17 @@ export const removeScript = (txt) => {
   return rs;
 };
 
+/**
+ * Simple css sanitization
+ */
+export const sanitizeCSS = (css) => {
+  if (css.indexOf('url') >= 0) return '';
+  if (css.indexOf('/*') >= 0) return '';
+  if (css.indexOf('//') >= 0) return '';
+
+  return css;
+};
+
 const sanitizeMore = (text, config) => {
   let txt = text;
   let htmlLabels = true;
@@ -112,4 +123,5 @@ export default {
   removeScript,
   getUrl,
   evaluate,
+  sanitizeCSS,
 };
diff --git a/src/mermaidAPI.js b/src/mermaidAPI.js
index a8a95f2c9..604328035 100755
--- a/src/mermaidAPI.js
+++ b/src/mermaidAPI.js
@@ -15,6 +15,7 @@
  */
 import { select } from 'd3';
 import { compile, serialize, stringify } from 'stylis';
+import common from './diagrams/common/common';
 import pkg from '../package.json';
 import * as configApi from './config';
 import classDb from './diagrams/class/classDb';
@@ -284,7 +285,7 @@ const render = function (id, _txt, cb, container) {
   let userStyles = '';
   // user provided theme CSS
   if (cnf.themeCSS !== undefined) {
-    userStyles += `\n${cnf.themeCSS}`;
+    userStyles += `\n${common.sanitizeCSS(cnf.themeCSS)}`;
   }
   // user provided theme CSS
   if (cnf.fontFamily !== undefined) {