diff --git a/cypress/integration/other/xss.spec.js b/cypress/integration/other/xss.spec.js
index fb052d1716..ef4878bc43 100644
--- a/cypress/integration/other/xss.spec.js
+++ b/cypress/integration/other/xss.spec.js
@@ -68,5 +68,10 @@ describe('XSS', () => {
cy.wait(1000);
cy.get('#the-malware').should('not.exist');
})
+ it('should not allow maniplulating antiscript to run javascript using onerror in state diagrams', () => {
+ cy.visit('http://localhost:9000/xss7.html');
+ cy.wait(1000);
+ cy.get('#the-malware').should('not.exist');
+ })
})
diff --git a/cypress/platform/xss7.html b/cypress/platform/xss7.html
new file mode 100644
index 0000000000..9ca548acfd
--- /dev/null
+++ b/cypress/platform/xss7.html
@@ -0,0 +1,99 @@
+
+
+
+
+
+
+
+
+
+
diff --git a/src/diagrams/state/stateDb.js b/src/diagrams/state/stateDb.js
index 4b752cedb6..2e65bbe828 100644
--- a/src/diagrams/state/stateDb.js
+++ b/src/diagrams/state/stateDb.js
@@ -1,10 +1,10 @@
import { log } from '../../logger';
import { generateId } from '../../utils';
import mermaidAPI from '../../mermaidAPI';
+import common from '../common/common';
import * as configApi from '../../config';
const clone = (o) => JSON.parse(JSON.stringify(o));
-
let rootDoc = [];
export const parseDirective = function (statement, context, type) {
@@ -148,7 +148,7 @@ export const addState = function (id, type, doc, descr, note) {
}
}
- if (note) currentDocument.states[id].note = note;
+ if (note) currentDocument.states[id].note = common.sanitizeText(note, configApi.getConfig());
};
export const clear = function () {
@@ -195,7 +195,7 @@ export const addRelation = function (_id1, _id2, title) {
}
addState(id1, type1);
addState(id2, type2);
- currentDocument.relations.push({ id1, id2, title: title });
+ currentDocument.relations.push({ id1, id2, title: common.sanitizeText(title, configApi.getConfig()) });
};
const addDescription = function (id, _descr) {
@@ -204,8 +204,7 @@ const addDescription = function (id, _descr) {
if (descr[0] === ':') {
descr = descr.substr(1).trim();
}
-
- theState.descriptions.push(descr);
+ theState.descriptions.push(common.sanitizeText(descr, config));
};
export const cleanupLabel = function (label) {
diff --git a/src/diagrams/state/stateRenderer-v2.js b/src/diagrams/state/stateRenderer-v2.js
index 70822b1753..31da0e1846 100644
--- a/src/diagrams/state/stateRenderer-v2.js
+++ b/src/diagrams/state/stateRenderer-v2.js
@@ -7,6 +7,7 @@ import { getConfig } from '../../config';
import { render } from '../../dagre-wrapper/index.js';
import { log } from '../../logger';
import { configureSvgSize } from '../../utils';
+import common from '../common/common';
const conf = {};
export const setConf = function (cnf) {
@@ -15,6 +16,7 @@ export const setConf = function (cnf) {
conf[keys[i]] = cnf[keys[i]];
}
};
+let mainConfig = getConfig();
let nodeDb = {};
@@ -51,7 +53,7 @@ const setupNode = (g, parent, node, altFlag) => {
nodeDb[node.id] = {
id: node.id,
shape,
- description: node.id,
+ description: common.sanitizeText(node.id, getConfig()),
classes: 'statediagram-state',
};
}