marcel/mermaid
1
0
Fork 0
mirror of https://github.com/mermaid-js/mermaid.git synced 2025-09-14 21:09:50 +02:00
Code Issues Packages Projects Releases Wiki Activity

Fix for XSS vulnerability in url sanitization

Browse Source
This commit is contained in:
Knut Sveidqvist
2021-12-28 16:59:22 +01:00
parent 6f800be33b
commit f4c335ad2f
6 changed files with 249 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
src/diagrams/sequence/svgDraw.js
View File

@@ -1,5 +1,6 @@
import common from '../common/common';
import { addFunction } from '../../interactionDb';
import { sanitizeUrl } from '@braintree/sanitize-url';
export const drawRect = function (elem, rectData) {
const rectElem = elem.append('rect');
@@ -19,12 +20,12 @@ export const drawRect = function (elem, rectData) {
return rectElem;
};
const sanitizeUrl = function (s) {
return s
.replace(/&/g, '&')
.replace(/</g, '&lt;')
.replace(/javascript:/g, '');
};
// const sanitizeUrl = function (s) {
// return s
// .replace(/&/g, '&amp;')
// .replace(/</g, '&lt;')
// .replace(/javascript:/g, '');
// };
const addPopupInteraction = (id, actorCnt) => {
addFunction(() => {
@@ -1055,4 +1056,5 @@ export default {
popupMenu,
popdownMenu,
fixLifeLineHeights,
sanitizeUrl,
};