diff --git a/cypress/integration/other/xss.spec.js b/cypress/integration/other/xss.spec.js index fb052d1716..ef4878bc43 100644 --- a/cypress/integration/other/xss.spec.js +++ b/cypress/integration/other/xss.spec.js @@ -68,5 +68,10 @@ describe('XSS', () => { cy.wait(1000); cy.get('#the-malware').should('not.exist'); }) + it('should not allow maniplulating antiscript to run javascript using onerror in state diagrams', () => { + cy.visit('http://localhost:9000/xss7.html'); + cy.wait(1000); + cy.get('#the-malware').should('not.exist'); + }) }) diff --git a/cypress/platform/xss7.html b/cypress/platform/xss7.html new file mode 100644 index 0000000000..9ca548acfd --- /dev/null +++ b/cypress/platform/xss7.html @@ -0,0 +1,99 @@ + + + + + + + + + +
Security check
+
+
+
+ + + + + diff --git a/src/diagrams/state/stateDb.js b/src/diagrams/state/stateDb.js index 4b752cedb6..2e65bbe828 100644 --- a/src/diagrams/state/stateDb.js +++ b/src/diagrams/state/stateDb.js @@ -1,10 +1,10 @@ import { log } from '../../logger'; import { generateId } from '../../utils'; import mermaidAPI from '../../mermaidAPI'; +import common from '../common/common'; import * as configApi from '../../config'; const clone = (o) => JSON.parse(JSON.stringify(o)); - let rootDoc = []; export const parseDirective = function (statement, context, type) { @@ -148,7 +148,7 @@ export const addState = function (id, type, doc, descr, note) { } } - if (note) currentDocument.states[id].note = note; + if (note) currentDocument.states[id].note = common.sanitizeText(note, configApi.getConfig()); }; export const clear = function () { @@ -195,7 +195,7 @@ export const addRelation = function (_id1, _id2, title) { } addState(id1, type1); addState(id2, type2); - currentDocument.relations.push({ id1, id2, title: title }); + currentDocument.relations.push({ id1, id2, title: common.sanitizeText(title, configApi.getConfig()) }); }; const addDescription = function (id, _descr) { @@ -204,8 +204,7 @@ const addDescription = function (id, _descr) { if (descr[0] === ':') { descr = descr.substr(1).trim(); } - - theState.descriptions.push(descr); + theState.descriptions.push(common.sanitizeText(descr, config)); }; export const cleanupLabel = function (label) { diff --git a/src/diagrams/state/stateRenderer-v2.js b/src/diagrams/state/stateRenderer-v2.js index 70822b1753..31da0e1846 100644 --- a/src/diagrams/state/stateRenderer-v2.js +++ b/src/diagrams/state/stateRenderer-v2.js @@ -7,6 +7,7 @@ import { getConfig } from '../../config'; import { render } from '../../dagre-wrapper/index.js'; import { log } from '../../logger'; import { configureSvgSize } from '../../utils'; +import common from '../common/common'; const conf = {}; export const setConf = function (cnf) { @@ -15,6 +16,7 @@ export const setConf = function (cnf) { conf[keys[i]] = cnf[keys[i]]; } }; +let mainConfig = getConfig(); let nodeDb = {}; @@ -51,7 +53,7 @@ const setupNode = (g, parent, node, altFlag) => { nodeDb[node.id] = { id: node.id, shape, - description: node.id, + description: common.sanitizeText(node.id, getConfig()), classes: 'statediagram-state', }; }