add security level antiscript option, to let use rich html format but remove all script element.

src/config.js

@@ -77,11 +77,12 @@ const config = {
   /**
    *| Parameter | Description |Type | Required | Values|
    *| --- | --- | --- | --- | --- |
-   *| securitylevel | Level of trust for parsed diagram|String | Required | Strict, Loose |
+   *| securitylevel | Level of trust for parsed diagram|String | Required | Strict, Loose, antiscript |
    *
    ***Notes:
    *-   **strict**: (**default**) tags in text are encoded, click functionality is disabeled
    *-   **loose**: tags in text are allowed, click functionality is enabled
+   *-   **antiscript**: html tags in text are allowed, (only script element is removed), click functionality is enabled
    */
   securityLevel: 'strict',
 

src/diagrams/common/common.js

@@ -5,6 +5,30 @@ export const getRows = s => {
   return str.split('#br#');
 };
 
+export const removeScript = txt => {
+  var rs = '';
+  var idx = 0;
+
+  while (idx >= 0) {
+    idx = txt.indexOf('<script');
+    if (idx >= 0) {
+      rs += txt.substr(0, idx);
+      txt = txt.substr(idx + 1);
+
+      idx = txt.indexOf('</script>');
+      if (idx >= 0) {
+        idx += 9;
+        txt = txt.substr(idx);
+      }
+    } else {
+      rs += txt;
+      idx = -1;
+      break;
+    }
+  }
+  return rs;
+};
+
 export const sanitizeText = (text, config) => {
   let txt = text;
   let htmlLabels = true;
@@ -14,13 +38,19 @@ export const sanitizeText = (text, config) => {
   )
     htmlLabels = false;
 
-  if (config.securityLevel !== 'loose' && htmlLabels) {
+  if (htmlLabels) {
+    var level = config.securityLevel;
+
+    if (level == 'antiscript') {
+      txt = removeScript(txt);
+    } else if (level !== 'loose') {
       // eslint-disable-line
       txt = breakToPlaceholder(txt);
       txt = txt.replace(/</g, '&lt;').replace(/>/g, '&gt;');
       txt = txt.replace(/=/g, '&equals;');
       txt = placeholderToBreak(txt);
     }
+  }
 
   return txt;
 };
@@ -48,5 +78,6 @@ export default {
   sanitizeText,
   hasBreaks,
   splitBreaks,
-  lineBreakRegex
+  lineBreakRegex,
+  removeScript
 };

src/diagrams/common/common.spec.js

@@ -0,0 +1,26 @@
+import { removeScript } from './common';
+
+describe('when securityLevel is antiscript, all script must be removed', function() {
+  it('should remove all script block, script inline.', function() {
+    const labelString = `1
+		Act1: Hello 1<script src="http://abc.com/script1.js"></script>1
+		<b>Act2</b>:
+		1<script>
+			alert('script run......');
+		</script>1
+	1`;
+
+	const result = removeScript(labelString);
+	const hasScript = (result.indexOf("script") >= 0);
+    expect(hasScript).toEqual(false);
+
+	const exactlyString = `1
+		Act1: Hello 11
+		<b>Act2</b>:
+		11
+	1`;
+
+	const isEqual = (result == exactlyString);
+    expect(isEqual).toEqual(true);
+  });
+});