chore: save eslintcache to speedup linting

fix: Config handling
Co-authored-by: Saurabh Gore <saurabh@mermaidchart.com>
2025-09-30 20:59:36 +02:00 · 2025-08-18 17:36:30 +05:30 · 2025-08-18 17:26:01 +05:30 · 2025-08-18 11:52:01 +00:00 · 2025-08-18 17:16:32 +05:30 · 2025-08-18 17:00:40 +05:30
36 changed files with 325 additions and 120 deletions
--- a/.changeset/busy-clocks-melt.md
+++ b/.changeset/busy-clocks-melt.md
@@ -0,0 +1,6 @@
+---
+'@mermaid-js/layout-elk': patch
+'mermaid': patch
+---
+
+feat: Exposing elk configuration forceNodeModelOrder and considerModelOrder to the mermaid configuration
--- a/.changeset/good-weeks-tickle.md
+++ b/.changeset/good-weeks-tickle.md
@@ -0,0 +1,7 @@
+---
+'mermaid': patch
+---
+
+fix: sanitize icon labels and icon SVGs
+
+Resolves CVE-2025-54880 reported by @fourcube
--- a/.changeset/spicy-ties-see.md
+++ b/.changeset/spicy-ties-see.md
@@ -0,0 +1,5 @@
+---
+'@mermaid-js/layout-elk': patch
+---
+
+Make elk not force node model order, but strongly consider it instead
--- a/.changeset/strong-laws-confess.md
+++ b/.changeset/strong-laws-confess.md
@@ -0,0 +1,9 @@
+---
+'mermaid': patch
+---
+
+fix: fallback to raw text instead of rendering _Unsupported markdown_ or empty blocks
+
+Instead of printing **Unsupported markdown: XXX**, or empty blocks when using a markdown feature
+that Mermaid does not yet support when `htmlLabels: true`(default) or `htmlLabels: false`,
+fallback to the raw markdown text.
--- a/.changeset/tidy-weeks-play.md
+++ b/.changeset/tidy-weeks-play.md
@@ -0,0 +1,7 @@
+---
+'mermaid': patch
+---
+
+fix: sanitize KATEX blocks
+
+Resolves CVE-2025-54881 reported by @fourcube
--- a/.cspell/libraries.txt
+++ b/.cspell/libraries.txt
@@ -24,6 +24,7 @@ Doctave
 DokuWiki
 dompurify
 elkjs
+eslintcache
 fcose
 fontawesome
 Fonticons
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -40,6 +40,14 @@ jobs:
        env:
          CYPRESS_CACHE_FOLDER: .cache/Cypress

+      - name: Setup ESLint cache
+        uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
+        with:
+          path: .eslintcache
+          key: ${{ runner.os }}-eslint-${{ hashFiles('pnpm-lock.yaml') }}
+          restore-keys: |
+            ${{ runner.os }}-eslint-
+
      - name: Run Linting
        shell: bash
        run: |
--- a/.lintstagedrc.mjs
+++ b/.lintstagedrc.mjs
@@ -7,5 +7,6 @@ export default {
    'prettier --write',
  ],
  '.cspell/*.txt': ['tsx scripts/fixCSpell.ts'],
+  '**/*.md': ['pnpm cspell'],
  '**/*.jison': ['pnpm -w run lint:jison'],
 };
--- a/cypress/helpers/util.ts
+++ b/cypress/helpers/util.ts
@@ -14,7 +14,7 @@ interface CodeObject {
  mermaid: CypressMermaidConfig;
 }

-const utf8ToB64 = (str: string): string => {
+export const utf8ToB64 = (str: string): string => {
  return Buffer.from(decodeURIComponent(encodeURIComponent(str))).toString('base64');
 };

@@ -22,7 +22,7 @@ const batchId: string =
  'mermaid-batch-' +
  (Cypress.env('useAppli')
    ? Date.now().toString()
-    : Cypress.env('CYPRESS_COMMIT') || Date.now().toString());
+    : (Cypress.env('CYPRESS_COMMIT') ?? Date.now().toString()));

 export const mermaidUrl = (
  graphStr: string | string[],
@@ -61,9 +61,7 @@ export const imgSnapshotTest = (
    sequence: {
      ...(_options.sequence ?? {}),
      actorFontFamily: 'courier',
-      noteFontFamily: _options.sequence?.noteFontFamily
-        ? _options.sequence.noteFontFamily
-        : 'courier',
+      noteFontFamily: _options.sequence?.noteFontFamily ?? 'courier',
      messageFontFamily: 'courier',
    },
  };
--- a/cypress/integration/other/xss.spec.js
+++ b/cypress/integration/other/xss.spec.js
@@ -1,4 +1,4 @@
-import { mermaidUrl } from '../../helpers/util.ts';
+import { imgSnapshotTest, mermaidUrl, utf8ToB64 } from '../../helpers/util.ts';
 describe('XSS', () => {
  it('should handle xss in tags', () => {
    const str =
@@ -141,4 +141,37 @@ describe('XSS', () => {
    cy.wait(1000);
    cy.get('#the-malware').should('not.exist');
  });
+
+  it('should sanitize icon labels in architecture diagrams', () => {
+    const str = JSON.stringify({
+      code: `architecture-beta
+    group api(cloud)[API]
+    service db "<img src=x onerror=\\"xssAttack()\\">" [Database] in api`,
+    });
+    imgSnapshotTest(utf8ToB64(str), {}, true);
+    cy.wait(1000);
+    cy.get('#the-malware').should('not.exist');
+  });
+
+  it('should sanitize katex blocks', () => {
+    const str = JSON.stringify({
+      code: `sequenceDiagram
+    participant A as Alice<img src="x" onerror="xssAttack()">$$\\text{Alice}$$
+    A->>John: Hello John, how are you?`,
+    });
+    imgSnapshotTest(utf8ToB64(str), {}, true);
+    cy.wait(1000);
+    cy.get('#the-malware').should('not.exist');
+  });
+
+  it('should sanitize labels', () => {
+    const str = JSON.stringify({
+      code: `erDiagram
+    "<img src=x onerror=xssAttack()>" ||--|| ENTITY2 : "<img src=x onerror=xssAttack()>"
+    `,
+    });
+    imgSnapshotTest(utf8ToB64(str), {}, true);
+    cy.wait(1000);
+    cy.get('#the-malware').should('not.exist');
+  });
 });
--- a/cypress/integration/rendering/flowchart-elk.spec.js
+++ b/cypress/integration/rendering/flowchart-elk.spec.js
@@ -1053,6 +1053,21 @@ flowchart LR
      });
    });
  });
+
+  it('6647-elk: should keep node order when using elk layout unless it would add crossings', () => {
+    imgSnapshotTest(
+      `---
+config:
+  layout: elk
+---
+      flowchart TB
+        a --> a1 & a2 & a3 & a4
+        b --> b1 & b2
+        b2 --> b3
+        b1 --> b4
+      `
+    );
+  });
 });

 describe('Title and arrow styling #4813', () => {
--- a/cypress/integration/rendering/flowchart-v2.spec.js
+++ b/cypress/integration/rendering/flowchart-v2.spec.js
@@ -1118,7 +1118,7 @@ end
      imgSnapshotTest(
        `flowchart TB
          A(["Start"]) --> n1["Untitled Node"]
-          A --> n2["Untitled Node"]     
+          A --> n2["Untitled Node"]
        `,
        {}
      );
@@ -1127,7 +1127,7 @@ end
      imgSnapshotTest(
        `flowchart BT
          n2["Untitled Node"] --> n1["Diamond"]
-          n1@{ shape: diam}     
+          n1@{ shape: diam}
        `,
        {}
      );
@@ -1138,7 +1138,7 @@ end
        n2["Untitled Node"] --> n1["Rounded Rectangle"]
        n3["Untitled Node"] --> n1
        n1@{ shape: rounded}
-        n3@{ shape: rect}  
+        n3@{ shape: rect}
    `,
        {}
      );
@@ -1164,4 +1164,26 @@ end
      `
    );
  });
+
+  describe('when rendering unsuported markdown', () => {
+    const graph = `flowchart TB
+    mermaid{"What is\nyourmermaid version?"} --> v10["<11"] --"\`<**1**1\`"--> fine["No bug"]
+    mermaid --> v11[">= v11"] -- ">= v11" --> broken["Affected by https://github.com/mermaid-js/mermaid/issues/5824"]
+    subgraph subgraph1["\`How to fix **fix**\`"]
+        broken --> B["B"]
+    end
+    githost["Github, Gitlab, BitBucket, etc."]
+    githost2["\`Github, Gitlab, BitBucket, etc.\`"]
+    a["1."]
+    b["- x"]
+      `;
+
+    it('should render raw strings', () => {
+      imgSnapshotTest(graph);
+    });
+
+    it('should render raw strings with htmlLabels: false', () => {
+      imgSnapshotTest(graph, { htmlLabels: false });
+    });
+  });
 });
--- a/cypress/platform/knsv2.html
+++ b/cypress/platform/knsv2.html
@@ -131,6 +131,22 @@

  <body>
    <pre id="diagram4" class="mermaid">
+---
+config:
+  layout: elk
+  elk:
+    mergeEdges: false
+    forceNodeModelOrder: false
+    considerModelOrder: NONE
+
+---
+            flowchart TB
+              a --> a1 & a2 & a3 & a4
+              b --> b1 & b2
+              b2 --> b3
+              b1 --> b4</pre
+    >
+    <pre id="diagram4" class="mermaid">
 treemap
 "Section 1"
    "Leaf 1.1": 12
--- a/cypress/platform/sidv.html
+++ b/cypress/platform/sidv.html
@@ -41,10 +41,6 @@ graph TB
      const { svg } = await mermaid.render('d22', value);
      console.log(svg);
      el.innerHTML = svg;
-      // mermaid.test1('first_slow', 1200).then((r) => console.info(r));
-      // mermaid.test1('second_fast', 200).then((r) => console.info(r));
-      // mermaid.test1('third_fast', 200).then((r) => console.info(r));
-      // mermaid.test1('forth_slow', 1200).then((r) => console.info(r));
    </script>
  </body>
 </html>
--- a/cypress/platform/viewer.js
+++ b/cypress/platform/viewer.js
@@ -182,7 +182,7 @@ const contentLoadedApi = async function () {
      for (let i = 0; i < numCodes; i++) {
        const { svg, bindFunctions } = await mermaid.render('newid' + i, graphObj.code[i], divs[i]);
        div.innerHTML = svg;
-        bindFunctions(div);
+        bindFunctions?.(div);
      }
    } else {
      const div = document.createElement('div');
@@ -194,7 +194,7 @@ const contentLoadedApi = async function () {
      const { svg, bindFunctions } = await mermaid.render('newid', graphObj.code, div);
      div.innerHTML = svg;
      console.log(div.innerHTML);
-      bindFunctions(div);
+      bindFunctions?.(div);
    }
  }
 };
--- a/demos/sankey.html
+++ b/demos/sankey.html
@@ -20,14 +20,14 @@
          width: 800
          nodeAlignment: left
      ---
-     sankey   
+     sankey
        a,b,8
        b,c,8
        c,d,8
        d,e,8
-        
+
        x,c,4
-        c,y,4 
+        c,y,4
    </pre>

    <h2>Energy flow</h2>
--- a/docs/config/setup/defaultConfig/variables/configKeys.md
+++ b/docs/config/setup/defaultConfig/variables/configKeys.md
@@ -12,4 +12,4 @@

 > `const` **configKeys**: `Set`<`string`>

-Defined in: [packages/mermaid/src/defaultConfig.ts:290](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/defaultConfig.ts#L290)
+Defined in: [packages/mermaid/src/defaultConfig.ts:292](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/defaultConfig.ts#L292)
--- a/docs/config/setup/mermaid/interfaces/MermaidConfig.md
+++ b/docs/config/setup/mermaid/interfaces/MermaidConfig.md
@@ -18,7 +18,7 @@ Defined in: [packages/mermaid/src/config.type.ts:58](https://github.com/mermaid-

 > `optional` **altFontFamily**: `string`

-Defined in: [packages/mermaid/src/config.type.ts:122](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/config.type.ts#L122)
+Defined in: [packages/mermaid/src/config.type.ts:132](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/config.type.ts#L132)

 ---

@@ -26,7 +26,7 @@ Defined in: [packages/mermaid/src/config.type.ts:122](https://github.com/mermaid

 > `optional` **architecture**: `ArchitectureDiagramConfig`

-Defined in: [packages/mermaid/src/config.type.ts:194](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/config.type.ts#L194)
+Defined in: [packages/mermaid/src/config.type.ts:204](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/config.type.ts#L204)

 ---

@@ -34,7 +34,7 @@ Defined in: [packages/mermaid/src/config.type.ts:194](https://github.com/mermaid

 > `optional` **arrowMarkerAbsolute**: `boolean`

-Defined in: [packages/mermaid/src/config.type.ts:141](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/config.type.ts#L141)
+Defined in: [packages/mermaid/src/config.type.ts:151](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/config.type.ts#L151)

 Controls whether or arrow markers in html code are absolute paths or anchors.
 This matters if you are using base tag settings.
@@ -45,7 +45,7 @@ This matters if you are using base tag settings.

 > `optional` **block**: `BlockDiagramConfig`

-Defined in: [packages/mermaid/src/config.type.ts:201](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/config.type.ts#L201)
+Defined in: [packages/mermaid/src/config.type.ts:211](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/config.type.ts#L211)

 ---

@@ -53,7 +53,7 @@ Defined in: [packages/mermaid/src/config.type.ts:201](https://github.com/mermaid

 > `optional` **c4**: `C4DiagramConfig`

-Defined in: [packages/mermaid/src/config.type.ts:198](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/config.type.ts#L198)
+Defined in: [packages/mermaid/src/config.type.ts:208](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/config.type.ts#L208)

 ---

@@ -61,7 +61,7 @@ Defined in: [packages/mermaid/src/config.type.ts:198](https://github.com/mermaid

 > `optional` **class**: `ClassDiagramConfig`

-Defined in: [packages/mermaid/src/config.type.ts:187](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/config.type.ts#L187)
+Defined in: [packages/mermaid/src/config.type.ts:197](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/config.type.ts#L197)

 ---

@@ -69,7 +69,7 @@ Defined in: [packages/mermaid/src/config.type.ts:187](https://github.com/mermaid

 > `optional` **darkMode**: `boolean`

-Defined in: [packages/mermaid/src/config.type.ts:113](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/config.type.ts#L113)
+Defined in: [packages/mermaid/src/config.type.ts:123](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/config.type.ts#L123)

 ---

@@ -77,7 +77,7 @@ Defined in: [packages/mermaid/src/config.type.ts:113](https://github.com/mermaid

 > `optional` **deterministicIds**: `boolean`

-Defined in: [packages/mermaid/src/config.type.ts:174](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/config.type.ts#L174)
+Defined in: [packages/mermaid/src/config.type.ts:184](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/config.type.ts#L184)

 This option controls if the generated ids of nodes in the SVG are
 generated randomly or based on a seed.
@@ -93,7 +93,7 @@ should not change unless content is changed.

 > `optional` **deterministicIDSeed**: `string`

-Defined in: [packages/mermaid/src/config.type.ts:181](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/config.type.ts#L181)
+Defined in: [packages/mermaid/src/config.type.ts:191](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/config.type.ts#L191)

 This option is the optional seed for deterministic ids.
 If set to `undefined` but deterministicIds is `true`, a simple number iterator is used.
@@ -105,7 +105,7 @@ You can set this attribute to base the seed on a static string.

 > `optional` **dompurifyConfig**: `Config`

-Defined in: [packages/mermaid/src/config.type.ts:203](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/config.type.ts#L203)
+Defined in: [packages/mermaid/src/config.type.ts:213](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/config.type.ts#L213)

 ---

@@ -115,12 +115,24 @@ Defined in: [packages/mermaid/src/config.type.ts:203](https://github.com/mermaid

 Defined in: [packages/mermaid/src/config.type.ts:91](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/config.type.ts#L91)

+#### considerModelOrder?
+
+> `optional` **considerModelOrder**: `"NONE"` | `"NODES_AND_EDGES"` | `"PREFER_EDGES"` | `"PREFER_NODES"`
+
+Preserves the order of nodes and edges in the model file if this does not lead to additional edge crossings. Depending on the strategy this is not always possible since the node and edge order might be conflicting.
+
 #### cycleBreakingStrategy?

 > `optional` **cycleBreakingStrategy**: `"GREEDY"` | `"DEPTH_FIRST"` | `"INTERACTIVE"` | `"MODEL_ORDER"` | `"GREEDY_MODEL_ORDER"`

 This strategy decides how to find cycles in the graph and deciding which edges need adjustment to break loops.

+#### forceNodeModelOrder?
+
+> `optional` **forceNodeModelOrder**: `boolean`
+
+The node order given by the model does not change to produce a better layout. E.g. if node A is before node B in the model this is not changed during crossing minimization. This assumes that the node model order is already respected before crossing minimization. This can be achieved by setting considerModelOrder.strategy to NODES_AND_EDGES.
+
 #### mergeEdges?

 > `optional` **mergeEdges**: `boolean`
@@ -139,7 +151,7 @@ Elk specific option affecting how nodes are placed.

 > `optional` **er**: `ErDiagramConfig`

-Defined in: [packages/mermaid/src/config.type.ts:189](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/config.type.ts#L189)
+Defined in: [packages/mermaid/src/config.type.ts:199](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/config.type.ts#L199)

 ---

@@ -147,7 +159,7 @@ Defined in: [packages/mermaid/src/config.type.ts:189](https://github.com/mermaid

 > `optional` **flowchart**: `FlowchartDiagramConfig`

-Defined in: [packages/mermaid/src/config.type.ts:182](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/config.type.ts#L182)
+Defined in: [packages/mermaid/src/config.type.ts:192](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/config.type.ts#L192)

 ---

@@ -155,7 +167,7 @@ Defined in: [packages/mermaid/src/config.type.ts:182](https://github.com/mermaid

 > `optional` **fontFamily**: `string`

-Defined in: [packages/mermaid/src/config.type.ts:121](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/config.type.ts#L121)
+Defined in: [packages/mermaid/src/config.type.ts:131](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/config.type.ts#L131)

 Specifies the font to be used in the rendered diagrams.
 Can be any possible CSS `font-family`.
@@ -167,7 +179,7 @@ See <https://developer.mozilla.org/en-US/docs/Web/CSS/font-family>

 > `optional` **fontSize**: `number`

-Defined in: [packages/mermaid/src/config.type.ts:205](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/config.type.ts#L205)
+Defined in: [packages/mermaid/src/config.type.ts:215](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/config.type.ts#L215)

 ---

@@ -175,7 +187,7 @@ Defined in: [packages/mermaid/src/config.type.ts:205](https://github.com/mermaid

 > `optional` **forceLegacyMathML**: `boolean`

-Defined in: [packages/mermaid/src/config.type.ts:163](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/config.type.ts#L163)
+Defined in: [packages/mermaid/src/config.type.ts:173](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/config.type.ts#L173)

 This option forces Mermaid to rely on KaTeX's own stylesheet for rendering MathML. Due to differences between OS
 fonts and browser's MathML implementation, this option is recommended if consistent rendering is important.
@@ -187,7 +199,7 @@ If set to true, ignores legacyMathML.

 > `optional` **gantt**: `GanttDiagramConfig`

-Defined in: [packages/mermaid/src/config.type.ts:184](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/config.type.ts#L184)
+Defined in: [packages/mermaid/src/config.type.ts:194](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/config.type.ts#L194)

 ---

@@ -195,7 +207,7 @@ Defined in: [packages/mermaid/src/config.type.ts:184](https://github.com/mermaid

 > `optional` **gitGraph**: `GitGraphDiagramConfig`

-Defined in: [packages/mermaid/src/config.type.ts:197](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/config.type.ts#L197)
+Defined in: [packages/mermaid/src/config.type.ts:207](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/config.type.ts#L207)

 ---

@@ -213,7 +225,7 @@ Defines the seed to be used when using handDrawn look. This is important for the

 > `optional` **htmlLabels**: `boolean`

-Defined in: [packages/mermaid/src/config.type.ts:114](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/config.type.ts#L114)
+Defined in: [packages/mermaid/src/config.type.ts:124](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/config.type.ts#L124)

 ---

@@ -221,7 +233,7 @@ Defined in: [packages/mermaid/src/config.type.ts:114](https://github.com/mermaid

 > `optional` **journey**: `JourneyDiagramConfig`

-Defined in: [packages/mermaid/src/config.type.ts:185](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/config.type.ts#L185)
+Defined in: [packages/mermaid/src/config.type.ts:195](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/config.type.ts#L195)

 ---

@@ -229,7 +241,7 @@ Defined in: [packages/mermaid/src/config.type.ts:185](https://github.com/mermaid

 > `optional` **kanban**: `KanbanDiagramConfig`

-Defined in: [packages/mermaid/src/config.type.ts:196](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/config.type.ts#L196)
+Defined in: [packages/mermaid/src/config.type.ts:206](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/config.type.ts#L206)

 ---

@@ -247,7 +259,7 @@ Defines which layout algorithm to use for rendering the diagram.

 > `optional` **legacyMathML**: `boolean`

-Defined in: [packages/mermaid/src/config.type.ts:156](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/config.type.ts#L156)
+Defined in: [packages/mermaid/src/config.type.ts:166](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/config.type.ts#L166)

 This option specifies if Mermaid can expect the dependent to include KaTeX stylesheets for browsers
 without their own MathML implementation. If this option is disabled and MathML is not supported, the math
@@ -260,7 +272,7 @@ fall back to legacy rendering for KaTeX.

 > `optional` **logLevel**: `0` | `2` | `1` | `"trace"` | `"debug"` | `"info"` | `"warn"` | `"error"` | `"fatal"` | `3` | `4` | `5`

-Defined in: [packages/mermaid/src/config.type.ts:127](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/config.type.ts#L127)
+Defined in: [packages/mermaid/src/config.type.ts:137](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/config.type.ts#L137)

 This option decides the amount of logging to be used by mermaid.

@@ -280,7 +292,7 @@ Defines which main look to use for the diagram.

 > `optional` **markdownAutoWrap**: `boolean`

-Defined in: [packages/mermaid/src/config.type.ts:206](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/config.type.ts#L206)
+Defined in: [packages/mermaid/src/config.type.ts:216](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/config.type.ts#L216)

 ---

@@ -308,7 +320,7 @@ The maximum allowed size of the users text diagram

 > `optional` **mindmap**: `MindmapDiagramConfig`

-Defined in: [packages/mermaid/src/config.type.ts:195](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/config.type.ts#L195)
+Defined in: [packages/mermaid/src/config.type.ts:205](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/config.type.ts#L205)

 ---

@@ -316,7 +328,7 @@ Defined in: [packages/mermaid/src/config.type.ts:195](https://github.com/mermaid

 > `optional` **packet**: `PacketDiagramConfig`

-Defined in: [packages/mermaid/src/config.type.ts:200](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/config.type.ts#L200)
+Defined in: [packages/mermaid/src/config.type.ts:210](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/config.type.ts#L210)

 ---

@@ -324,7 +336,7 @@ Defined in: [packages/mermaid/src/config.type.ts:200](https://github.com/mermaid

 > `optional` **pie**: `PieDiagramConfig`

-Defined in: [packages/mermaid/src/config.type.ts:190](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/config.type.ts#L190)
+Defined in: [packages/mermaid/src/config.type.ts:200](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/config.type.ts#L200)

 ---

@@ -332,7 +344,7 @@ Defined in: [packages/mermaid/src/config.type.ts:190](https://github.com/mermaid

 > `optional` **quadrantChart**: `QuadrantChartConfig`

-Defined in: [packages/mermaid/src/config.type.ts:191](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/config.type.ts#L191)
+Defined in: [packages/mermaid/src/config.type.ts:201](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/config.type.ts#L201)

 ---

@@ -340,7 +352,7 @@ Defined in: [packages/mermaid/src/config.type.ts:191](https://github.com/mermaid

 > `optional` **radar**: `RadarDiagramConfig`

-Defined in: [packages/mermaid/src/config.type.ts:202](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/config.type.ts#L202)
+Defined in: [packages/mermaid/src/config.type.ts:212](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/config.type.ts#L212)

 ---

@@ -348,7 +360,7 @@ Defined in: [packages/mermaid/src/config.type.ts:202](https://github.com/mermaid

 > `optional` **requirement**: `RequirementDiagramConfig`

-Defined in: [packages/mermaid/src/config.type.ts:193](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/config.type.ts#L193)
+Defined in: [packages/mermaid/src/config.type.ts:203](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/config.type.ts#L203)

 ---

@@ -356,7 +368,7 @@ Defined in: [packages/mermaid/src/config.type.ts:193](https://github.com/mermaid

 > `optional` **sankey**: `SankeyDiagramConfig`

-Defined in: [packages/mermaid/src/config.type.ts:199](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/config.type.ts#L199)
+Defined in: [packages/mermaid/src/config.type.ts:209](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/config.type.ts#L209)

 ---

@@ -364,7 +376,7 @@ Defined in: [packages/mermaid/src/config.type.ts:199](https://github.com/mermaid

 > `optional` **secure**: `string`\[]

-Defined in: [packages/mermaid/src/config.type.ts:148](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/config.type.ts#L148)
+Defined in: [packages/mermaid/src/config.type.ts:158](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/config.type.ts#L158)

 This option controls which `currentConfig` keys are considered secure and
 can only be changed via call to `mermaid.initialize`.
@@ -376,7 +388,7 @@ This prevents malicious graph directives from overriding a site's default securi

 > `optional` **securityLevel**: `"strict"` | `"loose"` | `"antiscript"` | `"sandbox"`

-Defined in: [packages/mermaid/src/config.type.ts:131](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/config.type.ts#L131)
+Defined in: [packages/mermaid/src/config.type.ts:141](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/config.type.ts#L141)

 Level of trust for parsed diagram

@@ -386,7 +398,7 @@ Level of trust for parsed diagram

 > `optional` **sequence**: `SequenceDiagramConfig`

-Defined in: [packages/mermaid/src/config.type.ts:183](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/config.type.ts#L183)
+Defined in: [packages/mermaid/src/config.type.ts:193](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/config.type.ts#L193)

 ---

@@ -394,7 +406,7 @@ Defined in: [packages/mermaid/src/config.type.ts:183](https://github.com/mermaid

 > `optional` **startOnLoad**: `boolean`

-Defined in: [packages/mermaid/src/config.type.ts:135](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/config.type.ts#L135)
+Defined in: [packages/mermaid/src/config.type.ts:145](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/config.type.ts#L145)

 Dictates whether mermaid starts on Page load

@@ -404,7 +416,7 @@ Dictates whether mermaid starts on Page load

 > `optional` **state**: `StateDiagramConfig`

-Defined in: [packages/mermaid/src/config.type.ts:188](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/config.type.ts#L188)
+Defined in: [packages/mermaid/src/config.type.ts:198](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/config.type.ts#L198)

 ---

@@ -412,7 +424,7 @@ Defined in: [packages/mermaid/src/config.type.ts:188](https://github.com/mermaid

 > `optional` **suppressErrorRendering**: `boolean`

-Defined in: [packages/mermaid/src/config.type.ts:212](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/config.type.ts#L212)
+Defined in: [packages/mermaid/src/config.type.ts:222](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/config.type.ts#L222)

 Suppresses inserting 'Syntax error' diagram in the DOM.
 This is useful when you want to control how to handle syntax errors in your application.
@@ -450,7 +462,7 @@ Defined in: [packages/mermaid/src/config.type.ts:65](https://github.com/mermaid-

 > `optional` **timeline**: `TimelineDiagramConfig`

-Defined in: [packages/mermaid/src/config.type.ts:186](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/config.type.ts#L186)
+Defined in: [packages/mermaid/src/config.type.ts:196](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/config.type.ts#L196)

 ---

@@ -458,7 +470,7 @@ Defined in: [packages/mermaid/src/config.type.ts:186](https://github.com/mermaid

 > `optional` **wrap**: `boolean`

-Defined in: [packages/mermaid/src/config.type.ts:204](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/config.type.ts#L204)
+Defined in: [packages/mermaid/src/config.type.ts:214](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/config.type.ts#L214)

 ---

@@ -466,4 +478,4 @@ Defined in: [packages/mermaid/src/config.type.ts:204](https://github.com/mermaid

 > `optional` **xyChart**: `XYChartConfig`

-Defined in: [packages/mermaid/src/config.type.ts:192](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/config.type.ts#L192)
+Defined in: [packages/mermaid/src/config.type.ts:202](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/config.type.ts#L202)
--- a/docs/ecosystem/integrations-community.md
+++ b/docs/ecosystem/integrations-community.md
@@ -117,7 +117,7 @@ Content Management Systems/Enterprise Content Management
 - [Grav CMS](https://getgrav.org/)
  - [Mermaid Diagrams Plugin](https://github.com/DanielFlaum/grav-plugin-mermaid-diagrams)
  - [GitLab Markdown Adapter](https://github.com/Goutte/grav-plugin-gitlab-markdown-adapter)
- [Tiki](https://tiki.org)
+- [Tiki Wiki CMS Groupware](https://tiki.org)
  - [Tracker Entity Relationship Diagram](https://doc.tiki.org/Tracker-Entity-Relationship-Diagram)
 - [VitePress](https://vitepress.vuejs.org/)
  - [Plugin for Mermaid.js](https://emersonbottero.github.io/vitepress-plugin-mermaid/)
--- a/docs/syntax/pie.md
+++ b/docs/syntax/pie.md
@@ -39,7 +39,7 @@ Drawing a pie chart is really simple in mermaid.

 **Note:**

-> Pie chart values must be **positive numbers greater than zero**.\
+> Pie chart values must be **positive numbers greater than zero**.
 > **Negative values are not allowed** and will result in an error.

 \[pie] \[showData] (OPTIONAL)
--- a/packages/mermaid-layout-elk/src/render.ts
+++ b/packages/mermaid-layout-elk/src/render.ts
@@ -766,7 +766,10 @@ export const render = async (
    id: 'root',
    layoutOptions: {
      'elk.hierarchyHandling': 'INCLUDE_CHILDREN',
-      'elk.layered.crossingMinimization.forceNodeModelOrder': true,
+      'elk.layered.crossingMinimization.forceNodeModelOrder':
+        data4Layout.config.elk?.forceNodeModelOrder,
+      'elk.layered.considerModelOrder.strategy': data4Layout.config.elk?.considerModelOrder,
+
      'elk.algorithm': algorithm,
      'nodePlacement.strategy': data4Layout.config.elk?.nodePlacementStrategy,
      'elk.layered.mergeEdges': data4Layout.config.elk?.mergeEdges,
--- a/packages/mermaid/src/config.type.ts
+++ b/packages/mermaid/src/config.type.ts
@@ -109,6 +109,16 @@ export interface MermaidConfig {
      | 'INTERACTIVE'
      | 'MODEL_ORDER'
      | 'GREEDY_MODEL_ORDER';
+    /**
+     * The node order given by the model does not change to produce a better layout. E.g. if node A is before node B in the model this is not changed during crossing minimization. This assumes that the node model order is already respected before crossing minimization. This can be achieved by setting considerModelOrder.strategy to NODES_AND_EDGES.
+     *
+     */
+    forceNodeModelOrder?: boolean;
+    /**
+     * Preserves the order of nodes and edges in the model file if this does not lead to additional edge crossings. Depending on the strategy this is not always possible since the node and edge order might be conflicting.
+     *
+     */
+    considerModelOrder?: 'NONE' | 'NODES_AND_EDGES' | 'PREFER_EDGES' | 'PREFER_NODES';
  };
  darkMode?: boolean;
  htmlLabels?: boolean;
--- a/packages/mermaid/src/dagre-wrapper/createLabel.js
+++ b/packages/mermaid/src/dagre-wrapper/createLabel.js
@@ -1,9 +1,9 @@
 import { select } from 'd3';
-import { log } from '../logger.js';
 import { getConfig } from '../diagram-api/diagramAPI.js';
-import { evaluate } from '../diagrams/common/common.js';
-import { decodeEntities } from '../utils.js';
+import { evaluate, sanitizeText } from '../diagrams/common/common.js';
+import { log } from '../logger.js';
 import { replaceIconSubstring } from '../rendering-util/createText.js';
+import { decodeEntities } from '../utils.js';

 /**
 * @param dom
@@ -19,14 +19,14 @@ function applyStyle(dom, styleFn) {
 * @param {any} node
 * @returns {SVGForeignObjectElement} Node
 */
-function addHtmlLabel(node) {
+function addHtmlLabel(node, config) {
  const fo = select(document.createElementNS('http://www.w3.org/2000/svg', 'foreignObject'));
  const div = fo.append('xhtml:div');

  const label = node.label;
  const labelClass = node.isNode ? 'nodeLabel' : 'edgeLabel';
  const span = div.append('span');
-  span.html(label);
+  span.html(sanitizeText(label, config));
  applyStyle(span, node.labelStyle);
  span.attr('class', labelClass);

@@ -49,7 +49,8 @@ const createLabel = async (_vertexText, style, isTitle, isNode) => {
  if (typeof vertexText === 'object') {
    vertexText = vertexText[0];
  }
-  if (evaluate(getConfig().flowchart.htmlLabels)) {
+  const config = getConfig();
+  if (evaluate(config.flowchart.htmlLabels)) {
    // TODO: addHtmlLabel accepts a labelStyle. Do we possibly have that?
    vertexText = vertexText.replace(/\\n|\n/g, '<br />');
    log.debug('vertexText' + vertexText);
@@ -59,7 +60,7 @@ const createLabel = async (_vertexText, style, isTitle, isNode) => {
      label,
      labelStyle: style.replace('fill:', 'color:'),
    };
-    let vertexNode = addHtmlLabel(node);
+    let vertexNode = addHtmlLabel(node, config);
    // vertexNode.parentNode.removeChild(vertexNode);
    return vertexNode;
  } else {
--- a/packages/mermaid/src/defaultConfig.ts
+++ b/packages/mermaid/src/defaultConfig.ts
@@ -24,6 +24,8 @@ const config: RequiredDeep<MermaidConfig> = {
    // mergeEdges is needed here to be considered
    mergeEdges: false,
    nodePlacementStrategy: 'BRANDES_KOEPF',
+    forceNodeModelOrder: false,
+    considerModelOrder: 'NODES_AND_EDGES',
  },
  themeCSS: undefined,

--- a/packages/mermaid/src/diagrams/architecture/svgDraw.ts
+++ b/packages/mermaid/src/diagrams/architecture/svgDraw.ts
@@ -3,6 +3,7 @@ import { getConfig } from '../../diagram-api/diagramAPI.js';
 import { createText } from '../../rendering-util/createText.js';
 import { getIconSVG } from '../../rendering-util/icons.js';
 import type { D3Element } from '../../types.js';
+import { sanitizeText } from '../common/common.js';
 import type { ArchitectureDB } from './architectureDb.js';
 import { architectureIcons } from './architectureIcons.js';
 import {
@@ -271,6 +272,7 @@ export const drawServices = async function (
  elem: D3Element,
  services: ArchitectureService[]
 ): Promise<number> {
+  const config = getConfig();
  for (const service of services) {
    const serviceElem = elem.append('g');
    const iconSize = db.getConfigField('iconSize');
@@ -285,7 +287,7 @@ export const drawServices = async function (
          width: iconSize * 1.5,
          classes: 'architecture-service-label',
        },
-        getConfig()
+        config
      );

      textElem
@@ -320,7 +322,7 @@ export const drawServices = async function (
        .attr('class', 'node-icon-text')
        .attr('style', `height: ${iconSize}px;`)
        .append('div')
-        .html(service.iconText);
+        .html(sanitizeText(service.iconText, config));
      const fontSize =
        parseInt(
          window
--- a/packages/mermaid/src/diagrams/common/common.ts
+++ b/packages/mermaid/src/diagrams/common/common.ts
@@ -311,9 +311,8 @@ export const hasKatex = (text: string): boolean => (text.match(katexRegex)?.leng
 * @returns Object containing \{width, height\}
 */
 export const calculateMathMLDimensions = async (text: string, config: MermaidConfig) => {
-  text = await renderKatex(text, config);
  const divElem = document.createElement('div');
-  divElem.innerHTML = text;
+  divElem.innerHTML = await renderKatexSanitized(text, config);
  divElem.id = 'katex-temp';
  divElem.style.visibility = 'hidden';
  divElem.style.position = 'absolute';
@@ -325,14 +324,7 @@ export const calculateMathMLDimensions = async (text: string, config: MermaidCon
  return dim;
 };

-/**
- * Attempts to render and return the KaTeX portion of a string with MathML
- *
- * @param text - The text to test
- * @param config - Configuration for Mermaid
- * @returns String containing MathML if KaTeX is supported, or an error message if it is not and stylesheets aren't present
- */
-export const renderKatex = async (text: string, config: MermaidConfig): Promise<string> => {
+const renderKatexUnsanitized = async (text: string, config: MermaidConfig): Promise<string> => {
  if (!hasKatex(text)) {
    return text;
  }
@@ -373,6 +365,20 @@ export const renderKatex = async (text: string, config: MermaidConfig): Promise<
  );
 };

+/**
+ * Attempts to render and return the KaTeX portion of a string with MathML
+ *
+ * @param text - The text to test
+ * @param config - Configuration for Mermaid
+ * @returns String containing MathML if KaTeX is supported, or an error message if it is not and stylesheets aren't present
+ */
+export const renderKatexSanitized = async (
+  text: string,
+  config: MermaidConfig
+): Promise<string> => {
+  return sanitizeText(await renderKatexUnsanitized(text, config), config);
+};
+
 export default {
  getRows,
  sanitizeText,
--- a/packages/mermaid/src/diagrams/sequence/svgDraw.js
+++ b/packages/mermaid/src/diagrams/sequence/svgDraw.js
@@ -1,8 +1,12 @@
-import common, { calculateMathMLDimensions, hasKatex, renderKatex } from '../common/common.js';
-import * as svgDrawCommon from '../common/svgDrawCommon.js';
-import { ZERO_WIDTH_SPACE, parseFontSize } from '../../utils.js';
 import { sanitizeUrl } from '@braintree/sanitize-url';
 import * as configApi from '../../config.js';
+import { ZERO_WIDTH_SPACE, parseFontSize } from '../../utils.js';
+import common, {
+  calculateMathMLDimensions,
+  hasKatex,
+  renderKatexSanitized,
+} from '../common/common.js';
+import * as svgDrawCommon from '../common/svgDrawCommon.js';

 export const ACTOR_TYPE_WIDTH = 18 * 2;
 const TOP_ACTOR_CLASS = 'actor-top';
@@ -87,13 +91,13 @@ const popupMenuToggle = function (popId) {

 export const drawKatex = async function (elem, textData, msgModel = null) {
  let textElem = elem.append('foreignObject');
-  const lines = await renderKatex(textData.text, configApi.getConfig());
+  const linesSanitized = await renderKatexSanitized(textData.text, configApi.getConfig());

  const divElem = textElem
    .append('xhtml:div')
    .attr('style', 'width: fit-content;')
    .attr('xmlns', 'http://www.w3.org/1999/xhtml')
-    .html(lines);
+    .html(linesSanitized);
  const dim = divElem.node().getBoundingClientRect();

  textElem.attr('height', Math.round(dim.height)).attr('width', Math.round(dim.width));
@@ -965,7 +969,7 @@ const _drawTextCandidateFunc = (function () {
      .append('div')
      .style('text-align', 'center')
      .style('vertical-align', 'middle')
-      .html(await renderKatex(content, configApi.getConfig()));
+      .html(await renderKatexSanitized(content, configApi.getConfig()));

    byTspan(content, s, x, y, width, height, textAttrs, conf);
    _setTextAttrs(text, textAttrs);
--- a/packages/mermaid/src/docs/ecosystem/integrations-community.md
+++ b/packages/mermaid/src/docs/ecosystem/integrations-community.md
@@ -112,7 +112,7 @@ Content Management Systems/Enterprise Content Management
 - [Grav CMS](https://getgrav.org/)
  - [Mermaid Diagrams Plugin](https://github.com/DanielFlaum/grav-plugin-mermaid-diagrams)
  - [GitLab Markdown Adapter](https://github.com/Goutte/grav-plugin-gitlab-markdown-adapter)
- [Tiki](https://tiki.org)
+- [Tiki Wiki CMS Groupware](https://tiki.org)
  - [Tracker Entity Relationship Diagram](https://doc.tiki.org/Tracker-Entity-Relationship-Diagram)
 - [VitePress](https://vitepress.vuejs.org/)
  - [Plugin for Mermaid.js](https://emersonbottero.github.io/vitepress-plugin-mermaid/)
--- a/packages/mermaid/src/docs/syntax/pie.md
+++ b/packages/mermaid/src/docs/syntax/pie.md
@@ -26,7 +26,7 @@ Drawing a pie chart is really simple in mermaid.

 **Note:**

-> Pie chart values must be **positive numbers greater than zero**.  
+> Pie chart values must be **positive numbers greater than zero**.
 > **Negative values are not allowed** and will result in an error.

 [pie] [showData] (OPTIONAL)
--- a/packages/mermaid/src/rendering-util/createText.spec.ts
+++ b/packages/mermaid/src/rendering-util/createText.spec.ts
@@ -1,6 +1,7 @@
 import { describe, expect, it } from 'vitest';
-import { replaceIconSubstring } from './createText.js';
+import { sanitizeText } from '../diagram-api/diagramAPI.js';
 import mermaid from '../mermaid.js';
+import { replaceIconSubstring } from './createText.js';

 describe('replaceIconSubstring', () => {
  it('converts FontAwesome icon notations to HTML tags', async () => {
@@ -56,7 +57,7 @@ describe('replaceIconSubstring', () => {
    ]);
    const input = 'Icons galore: fa:fa-bell';
    const output = await replaceIconSubstring(input);
-    const expected = staticBellIconPack.icons.bell.body;
+    const expected = sanitizeText(staticBellIconPack.icons.bell.body);
    expect(output).toContain(expected);
  });
 });
--- a/packages/mermaid/src/rendering-util/createText.ts
+++ b/packages/mermaid/src/rendering-util/createText.ts
@@ -2,9 +2,8 @@
 // @ts-nocheck TODO: Fix types
 import { select } from 'd3';
 import type { MermaidConfig } from '../config.type.js';
-import { getConfig, sanitizeText } from '../diagram-api/diagramAPI.js';
 import type { SVGGroup } from '../diagram-api/types.js';
-import common, { hasKatex, renderKatex } from '../diagrams/common/common.js';
+import common, { hasKatex, renderKatexSanitized, sanitizeText } from '../diagrams/common/common.js';
 import type { D3TSpanElement, D3TextElement } from '../diagrams/common/commonTypes.js';
 import { log } from '../logger.js';
 import { markdownToHTML, markdownToLines } from '../rendering-util/handle-markdown-text.js';
@@ -12,6 +11,7 @@ import { decodeEntities } from '../utils.js';
 import { getIconSVG, isIconAvailable } from './icons.js';
 import { splitLineToFitWidth } from './splitText.js';
 import type { MarkdownLine, MarkdownWord } from './types.js';
+import { getConfig } from '../config.js';

 function applyStyle(dom, styleFn) {
  if (styleFn) {
@@ -19,7 +19,15 @@ function applyStyle(dom, styleFn) {
  }
 }

-async function addHtmlSpan(element, node, width, classes, addBackground = false) {
+async function addHtmlSpan(
+  element,
+  node,
+  width,
+  classes,
+  addBackground = false,
+  // TODO: Make config mandatory
+  config: MermaidConfig = getConfig()
+) {
  const fo = element.append('foreignObject');
  // This is not the final width but used in order to make sure the foreign
  // object in firefox gets a width at all. The final width is fetched from the div
@@ -27,13 +35,12 @@ async function addHtmlSpan(element, node, width, classes, addBackground = false)
  fo.attr('height', `${10 * width}px`);

  const div = fo.append('xhtml:div');
-  let label = node.label;
-  if (node.label && hasKatex(node.label)) {
-    label = await renderKatex(node.label.replace(common.lineBreakRegex, '\n'), getConfig());
-  }
+  const sanitizedLabel = hasKatex(node.label)
+    ? await renderKatexSanitized(node.label.replace(common.lineBreakRegex, '\n'), config)
+    : sanitizeText(node.label, config);
  const labelClass = node.isNode ? 'nodeLabel' : 'edgeLabel';
  const span = div.append('span');
-  span.html(label);
+  span.html(sanitizedLabel);
  applyStyle(span, node.labelStyle);
  span.attr('class', `${labelClass} ${classes}`);

@@ -56,9 +63,6 @@ async function addHtmlSpan(element, node, width, classes, addBackground = false)
    bbox = div.node().getBoundingClientRect();
  }

-  // fo.style('width', bbox.width);
-  // fo.style('height', bbox.height);
-
  return fo.node();
 }

@@ -181,9 +185,14 @@ function updateTextContentAndStyles(tspan: any, wrappedLine: MarkdownWord[]) {
 /**
 * Convert fontawesome labels into fontawesome icons by using a regex pattern
 * @param text - The raw string to convert
+ * @param config - Mermaid config
 * @returns string with fontawesome icons as svg if the icon is registered otherwise as i tags
 */
-export async function replaceIconSubstring(text: string) {
+export async function replaceIconSubstring(
+  text: string,
+  // TODO: Make config mandatory
+  config: MermaidConfig = {}
+): Promise<string> {
  const pendingReplacements: Promise<string>[] = [];
  // cspell: disable-next-line
  text.replace(/(fa[bklrs]?):fa-([\w-]+)/g, (fullMatch, prefix, iconName) => {
@@ -193,7 +202,7 @@ export async function replaceIconSubstring(text: string) {
        if (await isIconAvailable(registeredIconName)) {
          return await getIconSVG(registeredIconName, undefined, { class: 'label-icon' });
        } else {
-          return `<i class='${sanitizeText(fullMatch).replace(':', ' ')}'></i>`;
+          return `<i class='${sanitizeText(fullMatch, config).replace(':', ' ')}'></i>`;
        }
      })()
    );
@@ -236,7 +245,7 @@ export const createText = async (
    // TODO: addHtmlLabel accepts a labelStyle. Do we possibly have that?

    const htmlText = markdownToHTML(text, config);
-    const decodedReplacedText = await replaceIconSubstring(decodeEntities(htmlText));
+    const decodedReplacedText = await replaceIconSubstring(decodeEntities(htmlText), config);

    //for Katex the text could contain escaped characters, \\relax that should be transformed to \relax
    const inputForKatex = text.replace(/\\\\/g, '\\');
@@ -246,7 +255,7 @@ export const createText = async (
      label: hasKatex(text) ? inputForKatex : decodedReplacedText,
      labelStyle: style.replace('fill:', 'color:'),
    };
-    const vertexNode = await addHtmlSpan(el, node, width, classes, addSvgBackground);
+    const vertexNode = await addHtmlSpan(el, node, width, classes, addSvgBackground, config);
    return vertexNode;
  } else {
    //sometimes the user might add br tags with 1 or more spaces in between, so we need to replace them with <br/>
--- a/packages/mermaid/src/rendering-util/handle-markdown-text.spec.ts
+++ b/packages/mermaid/src/rendering-util/handle-markdown-text.spec.ts
@@ -285,7 +285,11 @@ test('markdownToHTML - Unsupported formatting', () => {
  - l1
  - l2
  - l3`)
-  ).toMatchInlineSnapshot('"<p>Hello</p>Unsupported markdown: list"');
+  ).toMatchInlineSnapshot(`
+    "<p>Hello</p>  - l1
+      - l2
+      - l3"
+  `);
 });

 test('markdownToHTML - no auto wrapping', () => {
--- a/packages/mermaid/src/rendering-util/handle-markdown-text.ts
+++ b/packages/mermaid/src/rendering-util/handle-markdown-text.ts
@@ -3,6 +3,7 @@ import { marked } from 'marked';
 import { dedent } from 'ts-dedent';
 import type { MarkdownLine, MarkdownWordType } from './types.js';
 import type { MermaidConfig } from '../config.type.js';
+import { log } from '../logger.js';

 /**
 * @param markdown - markdown to process
@@ -61,6 +62,8 @@ export function markdownToLines(markdown: string, config: MermaidConfig = {}): M
      });
    } else if (treeNode.type === 'html') {
      lines[currentLine].push({ content: treeNode.text, type: 'normal' });
+    } else {
+      lines[currentLine].push({ content: treeNode.raw, type: 'normal' });
    }
  });

@@ -89,7 +92,8 @@ export function markdownToHTML(markdown: string, { markdownAutoWrap }: MermaidCo
    } else if (node.type === 'escape') {
      return node.text;
    }
-    return `Unsupported markdown: ${node.type}`;
+    log.warn(`Unsupported markdown: ${node.type}`);
+    return node.raw;
  }

  return nodes.map(output).join('');
--- a/packages/mermaid/src/rendering-util/icons.ts
+++ b/packages/mermaid/src/rendering-util/icons.ts
@@ -1,7 +1,9 @@
-import { log } from '../logger.js';
 import type { ExtendedIconifyIcon, IconifyIcon, IconifyJSON } from '@iconify/types';
 import type { IconifyIconCustomisations } from '@iconify/utils';
 import { getIconData, iconToHTML, iconToSVG, replaceIDs, stringToIcon } from '@iconify/utils';
+import { getConfig } from '../config.js';
+import { sanitizeText } from '../diagrams/common/common.js';
+import { log } from '../logger.js';

 interface AsyncIconLoader {
  name: string;
@@ -100,5 +102,5 @@ export const getIconSVG = async (
    ...renderData.attributes,
    ...extraAttributes,
  });
-  return svg;
+  return sanitizeText(svg, getConfig());
 };
--- a/packages/mermaid/src/rendering-util/rendering-elements/createLabel.js
+++ b/packages/mermaid/src/rendering-util/rendering-elements/createLabel.js
@@ -1,7 +1,12 @@
 import { select } from 'd3';
-import { log } from '../../logger.js';
 import { getConfig } from '../../diagram-api/diagramAPI.js';
-import common, { evaluate, renderKatex, hasKatex } from '../../diagrams/common/common.js';
+import common, {
+  evaluate,
+  hasKatex,
+  renderKatexSanitized,
+  sanitizeText,
+} from '../../diagrams/common/common.js';
+import { log } from '../../logger.js';
 import { decodeEntities } from '../../utils.js';

 /**
@@ -22,20 +27,21 @@ async function addHtmlLabel(node) {
  const fo = select(document.createElementNS('http://www.w3.org/2000/svg', 'foreignObject'));
  const div = fo.append('xhtml:div');

+  const config = getConfig();
  let label = node.label;
  if (node.label && hasKatex(node.label)) {
-    label = await renderKatex(node.label.replace(common.lineBreakRegex, '\n'), getConfig());
+    label = await renderKatexSanitized(node.label.replace(common.lineBreakRegex, '\n'), config);
  }
  const labelClass = node.isNode ? 'nodeLabel' : 'edgeLabel';
-  div.html(
+  const labelSpan =
    '<span class="' +
-      labelClass +
-      '" ' +
-      (node.labelStyle ? 'style="' + node.labelStyle + '"' : '') + // codeql [js/html-constructed-from-input] : false positive
-      '>' +
-      label +
-      '</span>'
-  );
+    labelClass +
+    '" ' +
+    (node.labelStyle ? 'style="' + node.labelStyle + '"' : '') + // codeql [js/html-constructed-from-input] : false positive
+    '>' +
+    label +
+    '</span>';
+  div.html(sanitizeText(labelSpan, config));

  applyStyle(div, node.labelStyle);
  div.style('display', 'inline-block');
--- a/packages/mermaid/src/schemas/config.schema.yaml
+++ b/packages/mermaid/src/schemas/config.schema.yaml
@@ -133,6 +133,21 @@ properties:
          - MODEL_ORDER
          - GREEDY_MODEL_ORDER
        default: GREEDY_MODEL_ORDER
+      forceNodeModelOrder:
+        description: |
+          The node order given by the model does not change to produce a better layout. E.g. if node A is before node B in the model this is not changed during crossing minimization. This assumes that the node model order is already respected before crossing minimization. This can be achieved by setting considerModelOrder.strategy to NODES_AND_EDGES.
+        type: boolean
+        default: false
+      considerModelOrder:
+        description: |
+          Preserves the order of nodes and edges in the model file if this does not lead to additional edge crossings. Depending on the strategy this is not always possible since the node and edge order might be conflicting.
+        type: string
+        enum:
+          - NONE
+          - NODES_AND_EDGES
+          - PREFER_EDGES
+          - PREFER_NODES
+        default: 'NODES_AND_EDGES'
  darkMode:
    type: boolean
    default: false
Author	SHA1	Message	Date
Sidharth Vinod	e5840277df	chore: save eslintcache to speedup linting	2025-08-18 17:36:30 +05:30
Sidharth Vinod	fc2c32603d	fix: Config handling Co-authored-by: Saurabh Gore <saurabh@mermaidchart.com>	2025-08-18 17:26:01 +05:30
autofix-ci[bot]	8c7da5af56	[autofix.ci] apply automated fixes	2025-08-18 11:52:01 +00:00
Sidharth Vinod	4b89af3aca	chore: just something to let autofix run	2025-08-18 17:16:32 +05:30
Sidharth Vinod	2aa8330279	Merge commit from fork fix: Sanitize icons and icon labels	2025-08-18 17:00:40 +05:30
Sidharth Vinod	803e2e14be	Merge remote-tracking branch 'upstream/develop' into advisory-fix-1 * upstream/develop: (68 commits) fix: sanitize addHtmlLabel in createLabel docs(integrations): update Tiki to Tiki Wiki CMS Groupware community in list cms/ecm to avoid confusion updated lock file #6856 Exposing elk configuration forceNodeModelOrder and considerModelOrder to the mermaid configuration chore: Modify changeset Update .changeset/strong-laws-confess.md fix: fallback to raw text instead of rendering empty boxes when `htmlLabels: false` chore: Modify changeset [autofix.ci] apply automated fixes test: Add E2E test for unsupported markdown Create strong-laws-confess.md fix: Remove data loss when unsupported markdown is encountered Apply suggestion from @sidharthv96 Add changeset and integration test chore: update E2E timings Make elk not force model order, but strongly consider it instead chore(deps): update peter-evans/create-pull-request digest to 1310d7d added changeset Fix border style for hand drawn shapes test: Verify label is sanitized ...	2025-08-18 16:59:44 +05:30
Sidharth Vinod	685516a85e	Merge commit from fork fix: Sanitize KATEX blocks	2025-08-18 16:57:11 +05:30
Sidharth Vinod	880f7454a3	fix: sanitize addHtmlLabel in createLabel Co-authored-by: Chris Grieger <chris@scolp.de>	2025-08-18 16:53:20 +05:30
Sidharth Vinod	1f46c9e9bb	Merge pull request #6861 from Baraka24/docs/6339_update-tiki-in-integrations-community-list docs(integrations): update Tiki to Tiki Wiki CMS Groupware community in list cms/ecm to avoid confusion	2025-08-16 18:46:37 +00:00
Baraka Kinywa	ec7099dc27	docs(integrations): update Tiki to Tiki Wiki CMS Groupware community in list cms/ecm to avoid confusion	2025-08-16 10:20:05 +02:00
Sidharth Vinod	e6ee145edf	Merge pull request #6857 from mermaid-js/elk-exposing-considerModelOrder-to-config Exposing elk configuration forceNodeModelOrder and considerMode…	2025-08-14 11:18:58 +00:00
Knut Sveidqvist	5cc264feb7	updated lock file	2025-08-14 13:05:40 +02:00
Alois Klink	690cc73259	Merge pull request #6855 from mermaid-js/sidv/showRawData fix: fallback to raw text instead of rendering Unsupported markdown	2025-08-14 11:01:58 +00:00
Knut Sveidqvist	b9ef683fb6	#6856 Exposing elk configuration forceNodeModelOrder and considerModelOrder to the mermaid configuration	2025-08-14 12:56:20 +02:00
Sidharth Vinod	6a6289f2aa	chore: Modify changeset	2025-08-14 16:18:45 +05:30
Sidharth Vinod	accb4c6369	Update .changeset/strong-laws-confess.md Co-authored-by: Alois Klink <alois@aloisklink.com>	2025-08-14 03:47:30 -07:00
Sidharth Vinod	52be254ad3	fix: fallback to raw text instead of rendering empty boxes when `htmlLabels: false`	2025-08-14 16:17:04 +05:30
Sidharth Vinod	9c071a9064	chore: Modify changeset Co-authored-by: Alois Klink <alois@mermaidchart.com>	2025-08-14 15:47:29 +05:30
Knut Sveidqvist	91d7229f1b	Merge pull request #6849 from anderium/bug/6647_fix-crossing-regression-while-keeping-preferred-node-order Make elk not force node model order, but strongly consider it instead	2025-08-14 10:17:25 +00:00
autofix-ci[bot]	60feec465b	[autofix.ci] apply automated fixes	2025-08-14 09:26:22 +00:00
Sidharth Vinod	d1ae687d1e	Merge branch 'sidv/showRawData' of https://github.com/mermaid-js/mermaid into sidv/showRawData * 'sidv/showRawData' of https://github.com/mermaid-js/mermaid: Create strong-laws-confess.md	2025-08-14 14:48:46 +05:30
Sidharth Vinod	7af6723ac0	test: Add E2E test for unsupported markdown	2025-08-14 14:48:37 +05:30
Sidharth Vinod	da90f6760b	Create strong-laws-confess.md	2025-08-14 02:16:38 -07:00
Sidharth Vinod	d74013c642	fix: Remove data loss when unsupported markdown is encountered	2025-08-14 13:05:44 +05:30
Sidharth Vinod	ce996346f8	Merge pull request #6821 from kriss-u/chore/4119_cspell_issue_eslint chore: run cspell on lint staged for markdown files	2025-08-14 11:46:13 +05:30
Sidharth Vinod	29edfa7f56	Apply suggestion from @sidharthv96	2025-08-13 10:03:26 -07:00
anderium	2260948b7b	Add changeset and integration test	2025-08-13 14:39:09 +02:00
anderium	4f24489d81	Make elk not force model order, but strongly consider it instead This improves the ordering in models with crossings that can be resolved by reordering nodes. It keeps the node order to still avoid #6647 which cause this regression to be introduced. [See this example on the ELK Editor.](https://rtsys.informatik.uni-kiel.de/elklive/elkgraph.html?compressedContent=IYGw5g9gTglgLgCwLYC4AEJgE8CmUcAmAUAPQloDGUEAzjTAHZgCyjMSMAXsHDBAwDoAZtAo4AchAI5mUnCADyUaVHRwoAVxxEK-eitnTFyvAJrqeOMFnTiFAEQCiAZQD6AQXH3Xj+wHEXIlJyABUEGBo0CLQAI2ACNAB3BBwGNA16JjQRKDFJaUN5JRU1TRwBIIY5NAYABjQAbwxgGPk0ACJa9rQAXyIq6Rr3RubWkA7gbr6BnBqARhHMMY65qf7qhgAmRZa29s21mZqADR3l9uPDjYAhM72Yq8GGa+GmpfuBVd71p+vbt9243aMQEB2+R2epwB5wAWmsiIQwLM6mgALQAPiGaARBCRNXqGPmQURyIWhK2xNxyOG5OulLxzzRmOe7hxDNutLpbORLyZNWux25-I5zMFQq2fIYYuCaGuGjgaEQ0RoCAgGhACVaaAA1jgAA4KxCzGjAJDlGUASQV+GgKkicAgaAAzAAaNAAFjdczd2xgQkoehgBjkxhUZgscCsNjQdnEjjQAAppEJgOq4ABKSrVABu9Whe1zj1m2YW+aBJaLaGz2zLHWrlezTru5adDfdzbr7vhJKrBMxJaFub51cHfarTtHw-dRCAA)	2025-08-13 01:47:25 +02:00
Sidharth Vinod	aeaf626bb5	fix: Sanitize check in unit test	2025-08-08 18:59:47 +05:30
Sidharth Vinod	096fbe933e	test: Verify label is sanitized Co-authored-by: Chris Grieger <chris@scolp.de>	2025-08-08 12:55:18 +05:30
Sidharth Vinod	e539909e87	fix: Label in addHtmlSpan	2025-08-08 12:54:26 +05:30
Sidharth Vinod	cfc76ef1cb	fix: sanitize HTML for spans	2025-08-07 22:49:39 +05:30
Sidharth Vinod	20a18971ea	chore: Add CVE ID	2025-08-07 13:39:01 +05:30
Sidharth Vinod	e1e36dfcb3	chore: Add CVE ID	2025-08-07 13:37:54 +05:30
Sidharth Vinod	e32e80ea7f	chore: Add @fourcube in changeset	2025-08-05 10:17:21 -07:00
Sidharth Vinod	3256807d25	chore: Add @fourcube in changeset	2025-08-05 22:44:58 +05:30
Sidharth Vinod	0133f1c0c5	docs: Add changeset	2025-08-05 22:42:13 +05:30
Sidharth Vinod	12e01bdb5c	docs: Add changeset	2025-08-05 22:41:10 +05:30
Sidharth Vinod	a776b4f0ab	Merge branch 'advisory-fix-1' of https://github.com/mermaid-js/mermaid-ghsa-7rqq-prvp-x9jh into advisory-fix-1 * 'advisory-fix-1' of https://github.com/mermaid-js/mermaid-ghsa-7rqq-prvp-x9jh: fix: Sanitize Katex	2025-08-05 22:37:06 +05:30
Sidharth Vinod	8d79bc9b19	test: check katex sanitization	2025-08-05 22:36:28 +05:30
Sidharth Vinod	ecf7ab4355	fix: Sanitize getIconSVG	2025-08-05 22:33:05 +05:30
Sidharth Vinod	c61a431e2d	fix: Sanitize iconText	2025-08-05 22:32:38 +05:30
Sidharth Vinod	526b35c602	test: Architecture XSS	2025-08-05 22:30:45 +05:30
Sidharth Vinod	8090580c67	test: Handle missing bindFunctions	2025-08-05 22:27:21 +05:30
Sidharth Vinod	9d685178d2	fix: Sanitize Katex	2025-08-05 20:44:03 +05:30
Krishna Upadhyay	17142ef8d7	chore: run cspell on lint staged for markdown files [skip ci]	2025-08-04 20:53:19 -05:00