marcel/mermaid
1
0
Fork 0
mirror of https://github.com/mermaid-js/mermaid.git synced 2025-11-19 20:24:16 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix: Use DOMPurify to sanitize HTML content

Browse Source 
on-behalf-of: @Mermaid-Chart <hello@mermaidchart.com>
This commit is contained in:
darshanr0107
2025-10-16 11:52:26 +05:30
parent feed9d75bb
commit fcd2791b2d
2 changed files with 4 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
packages/mermaid/src/diagrams/class/classDb.ts
View File

@@ -26,6 +26,7 @@ import type {
} from './classTypes.js'; } from './classTypes.js';
import type { Node, Edge } from '../../rendering-util/types.js'; import type { Node, Edge } from '../../rendering-util/types.js';
import type { DiagramDB } from '../../diagram-api/types.js'; import type { DiagramDB } from '../../diagram-api/types.js';
import DOMPurify from 'dompurify';
const MERMAID_DOM_ID_PREFIX = 'classId-'; const MERMAID_DOM_ID_PREFIX = 'classId-';
let classCounter = 0; let classCounter = 0;
@@ -504,7 +505,7 @@ export class ClassDB implements DiagramDB {
const rect = (event.currentTarget as Element).getBoundingClientRect(); const rect = (event.currentTarget as Element).getBoundingClientRect();
tooltipElem.transition().duration(200).style('opacity', '.9'); tooltipElem.transition().duration(200).style('opacity', '.9');
tooltipElem tooltipElem
.html(this.escapeHtml(title).replace(/&lt;br\/&gt;/g, '<br/>')) .html(DOMPurify.sanitize(title))
.style('left', `${window.scrollX + rect.left + rect.width / 2}px`) .style('left', `${window.scrollX + rect.left + rect.width / 2}px`)
.style('top', `${window.scrollY + rect.bottom + 4}px`); .style('top', `${window.scrollY + rect.bottom + 4}px`);

4
packages/mermaid/src/diagrams/flowchart/flowDb.ts
View File

@@ -27,7 +27,7 @@ import type {
FlowVertex, FlowVertex,
FlowVertexTypeParam, FlowVertexTypeParam,
} from './types.js'; } from './types.js';
import DOMPurify from 'dompurify';
interface LinkData { interface LinkData {
id: string; id: string;
} }
@@ -596,7 +596,7 @@ You have to call mermaid.initialize.`
.text(el.attr('title')) .text(el.attr('title'))
.style('left', window.scrollX + rect.left + (rect.right - rect.left) / 2 + 'px') .style('left', window.scrollX + rect.left + (rect.right - rect.left) / 2 + 'px')
.style('top', window.scrollY + rect.bottom + 'px'); .style('top', window.scrollY + rect.bottom + 'px');
tooltipElem.html(tooltipElem.html().replace(/&lt;br\/&gt;/g, '<br/>')); tooltipElem.html(DOMPurify.sanitize(title));
el.classed('hover', true); el.classed('hover', true);
}) })
.on('mouseout', (e: MouseEvent) => { .on('mouseout', (e: MouseEvent) => {