Correct handling of the note object foir state diagrams when sanitizing it

dist/mermaid.core.js

@@ -3266,7 +3266,10 @@ var rectWithTitle = function rectWithTitle(parent, node) {
 
   _logger__WEBPACK_IMPORTED_MODULE_1__["log"].info('Label text abc79', title, text2, _typeof(text2) === 'object');
   var text = label.node().appendChild(Object(_createLabel__WEBPACK_IMPORTED_MODULE_5__["default"])(title, node.labelStyle, true, true));
-  var bbox;
+  var bbox = {
+    width: 0,
+    height: 0
+  };
 
   if (Object(_diagrams_common_common__WEBPACK_IMPORTED_MODULE_8__["evaluate"])(Object(_config__WEBPACK_IMPORTED_MODULE_3__["getConfig"])().flowchart.htmlLabels)) {
     var div = text.children[0];
@@ -7405,9 +7408,11 @@ var removeScript = function removeScript(txt) {
     }
   }
 
-  rs = rs.replace(/javascript:/g, '#');
-  rs = rs.replace(/onerror=/g, 'onerror:');
-  rs = rs.replace(/<iframe/g, '');
+  rs = rs.replace(/script>/gi, '#');
+  rs = rs.replace(/script>/gi, '#');
+  rs = rs.replace(/javascript:/gi, '#');
+  rs = rs.replace(/onerror=/gi, 'onerror:');
+  rs = rs.replace(/<iframe/gi, '');
   return rs;
 };
 
@@ -7437,7 +7442,10 @@ var sanitizeMore = function sanitizeMore(text, config) {
 };
 
 var sanitizeText = function sanitizeText(text, config) {
-  var txt = sanitizeMore(dompurify__WEBPACK_IMPORTED_MODULE_0___default.a.sanitize(text), config);
+  var level = config.securityLevel;
+  console.log('security level', level);
+  if (!text) return text;
+  var txt = dompurify__WEBPACK_IMPORTED_MODULE_0___default.a.sanitize(sanitizeMore(text, config));
   return txt;
 };
 var lineBreakRegex = /<br\s*\/?>/gi;
@@ -22578,7 +22586,8 @@ __webpack_require__.r(__webpack_exports__);
 /* harmony import */ var _logger__WEBPACK_IMPORTED_MODULE_0__ = __webpack_require__(/*! ../../logger */ "./src/logger.js");
 /* harmony import */ var _utils__WEBPACK_IMPORTED_MODULE_1__ = __webpack_require__(/*! ../../utils */ "./src/utils.js");
 /* harmony import */ var _mermaidAPI__WEBPACK_IMPORTED_MODULE_2__ = __webpack_require__(/*! ../../mermaidAPI */ "./src/mermaidAPI.js");
-/* harmony import */ var _config__WEBPACK_IMPORTED_MODULE_3__ = __webpack_require__(/*! ../../config */ "./src/config.js");
+/* harmony import */ var _common_common__WEBPACK_IMPORTED_MODULE_3__ = __webpack_require__(/*! ../common/common */ "./src/diagrams/common/common.js");
+/* harmony import */ var _config__WEBPACK_IMPORTED_MODULE_4__ = __webpack_require__(/*! ../../config */ "./src/config.js");
 function _typeof(obj) { "@babel/helpers - typeof"; if (typeof Symbol === "function" && typeof Symbol.iterator === "symbol") { _typeof = function _typeof(obj) { return typeof obj; }; } else { _typeof = function _typeof(obj) { return obj && typeof Symbol === "function" && obj.constructor === Symbol && obj !== Symbol.prototype ? "symbol" : typeof obj; }; } return _typeof(obj); }
 
 
@@ -22586,6 +22595,7 @@ function _typeof(obj) { "@babel/helpers - typeof"; if (typeof Symbol === "functi
 
 
 
+
 var clone = function clone(o) {
   return JSON.parse(JSON.stringify(o));
 };
@@ -22749,7 +22759,7 @@ var addState = function addState(id, type, doc, descr, note) {
     }
   }
 
-  if (note) currentDocument.states[id].note = note;
+  if (note) currentDocument.states[id].note = _common_common__WEBPACK_IMPORTED_MODULE_3__["default"].sanitizeText(note, _config__WEBPACK_IMPORTED_MODULE_4__["getConfig"]());
 };
 var clear = function clear() {
   documents = {
@@ -22797,7 +22807,7 @@ var addRelation = function addRelation(_id1, _id2, title) {
   currentDocument.relations.push({
     id1: id1,
     id2: id2,
-    title: title
+    title: _common_common__WEBPACK_IMPORTED_MODULE_3__["default"].sanitizeText(title, _config__WEBPACK_IMPORTED_MODULE_4__["getConfig"]())
   });
 };
 
@@ -22809,7 +22819,7 @@ var addDescription = function addDescription(id, _descr) {
     descr = descr.substr(1).trim();
   }
 
-  theState.descriptions.push(descr);
+  theState.descriptions.push(_common_common__WEBPACK_IMPORTED_MODULE_3__["default"].sanitizeText(descr, _config__WEBPACK_IMPORTED_MODULE_4__["getConfig"]()));
 };
 
 var cleanupLabel = function cleanupLabel(label) {
@@ -22860,7 +22870,7 @@ var trimColon = function trimColon(str) {
 /* harmony default export */ __webpack_exports__["default"] = ({
   parseDirective: parseDirective,
   getConfig: function getConfig() {
-    return _config__WEBPACK_IMPORTED_MODULE_3__["getConfig"]().state;
+    return _config__WEBPACK_IMPORTED_MODULE_4__["getConfig"]().state;
   },
   addState: addState,
   clear: clear,
@@ -22909,11 +22919,12 @@ __webpack_require__.r(__webpack_exports__);
 /* harmony import */ var _dagre_wrapper_index_js__WEBPACK_IMPORTED_MODULE_5__ = __webpack_require__(/*! ../../dagre-wrapper/index.js */ "./src/dagre-wrapper/index.js");
 /* harmony import */ var _logger__WEBPACK_IMPORTED_MODULE_6__ = __webpack_require__(/*! ../../logger */ "./src/logger.js");
 /* harmony import */ var _utils__WEBPACK_IMPORTED_MODULE_7__ = __webpack_require__(/*! ../../utils */ "./src/utils.js");
+/* harmony import */ var _common_common__WEBPACK_IMPORTED_MODULE_8__ = __webpack_require__(/*! ../common/common */ "./src/diagrams/common/common.js");
+
 
 
 
 
- // import { evaluate } from '../common/common';
 
 
 
@@ -22963,7 +22974,7 @@ var setupNode = function setupNode(g, parent, node, altFlag) {
       nodeDb[node.id] = {
         id: node.id,
         shape: shape,
-        description: node.id,
+        description: _common_common__WEBPACK_IMPORTED_MODULE_8__["default"].sanitizeText(node.id, Object(_config__WEBPACK_IMPORTED_MODULE_4__["getConfig"])()),
         classes: 'statediagram-state'
       };
     } // Build of the array of description strings accordinging

src/diagrams/state/stateDb.js

@@ -148,7 +148,13 @@ export const addState = function (id, type, doc, descr, note) {
     }
   }
 
-  if (note) currentDocument.states[id].note = common.sanitizeText(note, configApi.getConfig());
+  if (note) {
+    currentDocument.states[id].note = note;
+    currentDocument.states[id].note.text = common.sanitizeText(
+      currentDocument.states[id].note.text,
+      configApi.getConfig()
+    );
+  }
 };
 
 export const clear = function () {