marcel/mermaid
1
0
Fork 0
mirror of https://github.com/mermaid-js/mermaid.git synced 2025-09-16 05:49:43 +02:00
Code Issues Packages Projects Releases Wiki Activity

Checking for shenanigans in the themeCSF field

Browse Source
This commit is contained in:
Knut Sveidqvist
2021-08-15 17:39:01 +02:00
parent 44d60d9727
commit a7b7554749
2 changed files with 14 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
src/diagrams/common/common.js
View File

@@ -37,6 +37,17 @@ export const removeScript = (txt) => {
return rs; return rs;
}; };
/**
* Simple css sanitization
*/
export const sanitizeCSS = (css) => {
if (css.indexOf('url') >= 0) return '';
if (css.indexOf('/*') >= 0) return '';
if (css.indexOf('//') >= 0) return '';
return css;
};
const sanitizeMore = (text, config) => { const sanitizeMore = (text, config) => {
let txt = text; let txt = text;
let htmlLabels = true; let htmlLabels = true;
@@ -112,4 +123,5 @@ export default {
removeScript, removeScript,
getUrl, getUrl,
evaluate, evaluate,
sanitizeCSS,
}; };

3
src/mermaidAPI.js
View File

@@ -15,6 +15,7 @@
*/ */
import { select } from 'd3'; import { select } from 'd3';
import { compile, serialize, stringify } from 'stylis'; import { compile, serialize, stringify } from 'stylis';
import common from './diagrams/common/common';
import pkg from '../package.json'; import pkg from '../package.json';
import * as configApi from './config'; import * as configApi from './config';
import classDb from './diagrams/class/classDb'; import classDb from './diagrams/class/classDb';
@@ -284,7 +285,7 @@ const render = function (id, _txt, cb, container) {
let userStyles = ''; let userStyles = '';
// user provided theme CSS // user provided theme CSS
if (cnf.themeCSS !== undefined) { if (cnf.themeCSS !== undefined) {
userStyles += `\n${cnf.themeCSS}`; userStyles += `\n${common.sanitizeCSS(cnf.themeCSS)}`;
} }
// user provided theme CSS // user provided theme CSS
if (cnf.fontFamily !== undefined) { if (cnf.fontFamily !== undefined) {