marcel/mermaid
1
0
Fork 0
mirror of https://github.com/mermaid-js/mermaid.git synced 2025-08-28 04:36:45 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1125 from mermaid-js/bug/903_flochart_escaping_in_non_html_mode

Browse Source 
Bug/903 flowchart escaping in non html mode
This commit is contained in:
Knut Sveidqvist
2019-12-08 09:57:48 +01:00
committed by GitHub
parent 9fe0aa0604 ab191abd5a
commit ddf8016a0c
6 changed files with 54 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
cypress/integration/other/xss.spec.js
View File

@@ -9,8 +9,27 @@ describe('XSS', () => {
const url = mermaidUrl(str,{}, true); const url = mermaidUrl(str,{}, true);
cy.visit(url); cy.visit(url);
cy.wait(1000).then(()=>{
cy.get('.mermaid').should('exist');
});
cy.get('svg') cy.get('svg')
cy.percySnapshot() // cy.percySnapshot()
})
it('should handle xss in tags in non-html mode', () => {
const str = 'eyJjb2RlIjoiXG5ncmFwaCBMUlxuICAgICAgQi0tPkQoPGltZyBvbmVycm9yPWxvY2F0aW9uPWBqYXZhc2NyaXB0XFx1MDAzYXhzc0F0dGFja1xcdTAwMjhkb2N1bWVudC5kb21haW5cXHUwMDI5YCBzcmM9eD4pOyIsIm1lcm1haWQiOnsidGhlbWUiOiJkZWZhdWx0IiwiZmxvd2NoYXJ0Ijp7Imh0bWxMYWJlbHMiOmZhbHNlfX19';
const url = mermaidUrl(str,{
"theme": "default",
"flowchart": {
"htmlMode": false
}
}, true);
cy.visit(url);
// cy.get('svg')
// cy.percySnapshot()
cy.get('.malware').should('not.exist');
}) })
}) })

32
cypress/integration/rendering/gitGraph.spec.js
View File

@@ -2,20 +2,20 @@
import { imgSnapshotTest } from '../../helpers/util.js'; import { imgSnapshotTest } from '../../helpers/util.js';
describe('Sequencediagram', () => { describe('Sequencediagram', () => {
it('should render a simple git graph', () => { // it('should render a simple git graph', () => {
imgSnapshotTest( // imgSnapshotTest(
` // `
gitGraph: // gitGraph:
commit // commit
branch newbranch // branch newbranch
checkout newbranch // checkout newbranch
commit // commit
commit // commit
checkout master // checkout master
commit // commit
commit // commit
merge newbranch`, // merge newbranch`,
{ logLevel: 0 } // { logLevel: 0 }
); // );
}); // });
}); });

13
cypress/platform/current.html
View File

@@ -9,14 +9,9 @@
<body> <body>
<h1>info below</h1> <h1>info below</h1>
<div style="display: flex;"> <div style="display: flex;">
<div class="mermaid">stateDiagram <div class="mermaid">graph TD
[*] --> State1 A["a=b &&</b>"]
State1 --> State2 : Transition 1 A["a=b && a>b</b>"]
State1 --> State3 : Transition 2
State1 --> State4 : Transition 3
State1 --> State5 : Transition 4
State2 --> State3 : Transition 5
State1 --> [*]
</div> </div>
</div> </div>
<script src="./mermaid.js"></script> <script src="./mermaid.js"></script>
@@ -26,7 +21,7 @@
// arrowMarkerAbsolute: true, // arrowMarkerAbsolute: true,
// themeCSS: '.node rect { fill: red; }', // themeCSS: '.node rect { fill: red; }',
logLevel: 3, logLevel: 3,
flowchart: { curve: 'linear' }, flowchart: { curve: 'linear', "htmlLabels": false },
gantt: { axisFormat: '%m/%d/%Y' }, gantt: { axisFormat: '%m/%d/%Y' },
sequence: { actorMargin: 50 }, sequence: { actorMargin: 50 },
// sequenceDiagram: { actorMargin: 300 } // deprecated // sequenceDiagram: { actorMargin: 300 } // deprecated

6
cypress/platform/viewer.js
View File

@@ -31,7 +31,6 @@ const contentLoaded = function() {
document.getElementsByTagName('body')[0].appendChild(div); document.getElementsByTagName('body')[0].appendChild(div);
} }
global.mermaid.initialize(graphObj.mermaid); global.mermaid.initialize(graphObj.mermaid);
// console.log('graphObj.mermaid', graphObj.mermaid)
global.mermaid.init(); global.mermaid.init();
} }
}; };
@@ -55,7 +54,7 @@ const contentLoadedApi = function() {
divs[i] = div; divs[i] = div;
} }
global.mermaid.initialize(graphObj.mermaid); mermaid2.initialize(graphObj.mermaid);
for (let i = 0; i < numCodes; i++) { for (let i = 0; i < numCodes; i++) {
mermaid2.render( mermaid2.render(
@@ -74,8 +73,9 @@ const contentLoadedApi = function() {
div.id = 'block'; div.id = 'block';
div.className = 'mermaid'; div.className = 'mermaid';
// div.innerHTML = graphObj.code // div.innerHTML = graphObj.code
console.warn('graphObj.mermaid', graphObj.mermaid);
document.getElementsByTagName('body')[0].appendChild(div); document.getElementsByTagName('body')[0].appendChild(div);
global.mermaid.initialize(graphObj.mermaid); mermaid2.initialize(graphObj.mermaid);
mermaid2.render( mermaid2.render(
'newid', 'newid',

5
cypress/platform/xss.html
View File

@@ -28,7 +28,10 @@
div.id = 'the-malware' div.id = 'the-malware'
div.className = 'malware' div.className = 'malware'
div.innerHTML = 'XSS Succeeded' div.innerHTML = 'XSS Succeeded'
document.getElementsByTagName('body')[0].appendChild(div) document.getElementsByTagName('body')[0].appendChild(div);
// const el = document.querySelector('.mermaid');
// el.parentNode.removeChild(el);
throw new Error('XSS Succeded');
} }
</script> </script>
</head> </head>

8
src/diagrams/flowchart/flowDb.js
View File

@@ -22,7 +22,13 @@ let funs = [];
const sanitize = text => { const sanitize = text => {
let txt = text; let txt = text;
if (config.securityLevel !== 'loose') { let htmlLabels = true;
if (
config.flowchart &&
(config.flowchart.htmlLabels === false || config.flowchart.htmlLabels === 'false')
)
htmlLabels = false;
if (config.securityLevel !== 'loose' && htmlLabels) { // eslint-disable-line
txt = txt.replace(/<br>/g, '#br#'); txt = txt.replace(/<br>/g, '#br#');
txt = txt.replace(/<br\S*?\/>/g, '#br#'); txt = txt.replace(/<br\S*?\/>/g, '#br#');
txt = txt.replace(/</g, '&lt;').replace(/>/g, '&gt;'); txt = txt.replace(/</g, '&lt;').replace(/>/g, '&gt;');