mirrors
/
mermaid
mirror of https://github.com/mermaid-js/mermaid.git
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

add security level antiscript option, to let use rich html format but remove all script element.

This commit is contained in:
Toan 2020-07-05 23:04:22 +07:00
parent 5242672efb
commit fce2a16e42
3 changed files with 66 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
src/config.js
View File

@ -77,11 +77,12 @@ const config = {
/** /**
*| Parameter | Description |Type | Required | Values| *| Parameter | Description |Type | Required | Values|
*| --- | --- | --- | --- | --- | *| --- | --- | --- | --- | --- |
*| securitylevel | Level of trust for parsed diagram|String | Required | Strict, Loose | *| securitylevel | Level of trust for parsed diagram|String | Required | Strict, Loose, antiscript |
* *
***Notes: ***Notes:
*- **strict**: (**default**) tags in text are encoded, click functionality is disabeled *- **strict**: (**default**) tags in text are encoded, click functionality is disabeled
*- **loose**: tags in text are allowed, click functionality is enabled *- **loose**: tags in text are allowed, click functionality is enabled
*- **antiscript**: html tags in text are allowed, (only script element is removed), click functionality is enabled
*/ */
securityLevel: 'strict', securityLevel: 'strict',

45
src/diagrams/common/common.js
View File

@ -5,6 +5,30 @@ export const getRows = s => {
return str.split('#br#'); return str.split('#br#');
}; };
export const removeScript = txt => {
var rs = '';
var idx = 0;
while (idx >= 0) {
idx = txt.indexOf('<script');
if (idx >= 0) {
rs += txt.substr(0, idx);
txt = txt.substr(idx + 1);
idx = txt.indexOf('</script>');
if (idx >= 0) {
idx += 9;
txt = txt.substr(idx);
}
} else {
rs += txt;
idx = -1;
break;
}
}
return rs;
};
export const sanitizeText = (text, config) => { export const sanitizeText = (text, config) => {
let txt = text; let txt = text;
let htmlLabels = true; let htmlLabels = true;
@ -14,12 +38,18 @@ export const sanitizeText = (text, config) => {
) )
htmlLabels = false; htmlLabels = false;
if (config.securityLevel !== 'loose' && htmlLabels) { if (htmlLabels) {
// eslint-disable-line var level = config.securityLevel;
txt = breakToPlaceholder(txt);
txt = txt.replace(/</g, '&lt;').replace(/>/g, '&gt;'); if (level == 'antiscript') {
txt = txt.replace(/=/g, '&equals;'); txt = removeScript(txt);
txt = placeholderToBreak(txt); } else if (level !== 'loose') {
// eslint-disable-line
txt = breakToPlaceholder(txt);
txt = txt.replace(/</g, '&lt;').replace(/>/g, '&gt;');
txt = txt.replace(/=/g, '&equals;');
txt = placeholderToBreak(txt);
}
} }
return txt; return txt;
@ -48,5 +78,6 @@ export default {
sanitizeText, sanitizeText,
hasBreaks, hasBreaks,
splitBreaks, splitBreaks,
lineBreakRegex lineBreakRegex,
removeScript
}; };

26
src/diagrams/common/common.spec.js Normal file
View File

@ -0,0 +1,26 @@
import { removeScript } from './common';
describe('when securityLevel is antiscript, all script must be removed', function() {
it('should remove all script block, script inline.', function() {
const labelString = `1
Act1: Hello 1<script src="http://abc.com/script1.js"></script>1
<b>Act2</b>:
1<script>
alert('script run......');
</script>1
1`;
const result = removeScript(labelString);
const hasScript = (result.indexOf("script") >= 0);
expect(hasScript).toEqual(false);
const exactlyString = `1
Act1: Hello 11
<b>Act2</b>:
11
1`;
const isEqual = (result == exactlyString);
expect(isEqual).toEqual(true);
});
});