From f528e2daa4d8e54bdcabbe74ed8e8b3c61d349d5 Mon Sep 17 00:00:00 2001 From: darshanr0107 Date: Thu, 19 Jun 2025 12:59:51 +0530 Subject: [PATCH] fix multicharacter sanitization --- packages/mermaid/src/diagrams/timeline/svgDraw.js | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/packages/mermaid/src/diagrams/timeline/svgDraw.js b/packages/mermaid/src/diagrams/timeline/svgDraw.js index ed1a7f400..927490607 100644 --- a/packages/mermaid/src/diagrams/timeline/svgDraw.js +++ b/packages/mermaid/src/diagrams/timeline/svgDraw.js @@ -1,5 +1,6 @@ import { arc as d3arc, select } from 'd3'; import { createText } from '../../rendering-util/createText.js'; +import DOMPurify from 'dompurify'; const MAX_SECTIONS = 12; @@ -12,9 +13,10 @@ const MAX_SECTIONS = 12; */ const processHtmlContent = async function (textElem, node, conf, isVirtual = false) { // Create temporary text to get initial dimensions + const sanitizedHtml = DOMPurify.sanitize(node.descr, { ALLOWED_TAGS: [] }); const tempText = textElem .append('text') - .text(node.descr.replace(/<[^>]*>/g, '')) + .text(sanitizedHtml) .attr('dy', '1em') .attr('alignment-baseline', 'middle') .attr('dominant-baseline', 'middle')