Commit c4bb0a11 authored by Cindy Pallares's avatar Cindy Pallares

Merge branch 'security-mermaid-xss' into 'master'

[master] Fix XSS in mermaid diagrams

See merge request gitlab/gitlabhq!2597
parent e3a5ce58
......@@ -26,6 +26,9 @@ export default function renderMermaid($els) {
},
// mermaidAPI options
theme: 'neutral',
flowchart: {
htmlLabels: false,
},
});
$els.each((i, el) => {
......
---
title: Configure mermaid to not render HTML content in diagrams
merge_request:
author:
type: security
......@@ -40,6 +40,18 @@ describe "User comments on issue", :js do
expect(page.find('pre code').text).to eq code_block_content
end
it "does not render html content in mermaid" do
html_content = "<img onerror=location=`javascript\\u003aalert\\u0028document.domain\\u0029` src=x>"
mermaid_content = "graph LR\n B-->D(#{html_content});"
comment = "```mermaid\n#{mermaid_content}\n```"
add_note(comment)
wait_for_requests
expect(page.find('svg.mermaid')).to have_content html_content
end
end
context "when editing comments" do
......
......@@ -18,7 +18,7 @@ describe 'Mermaid rendering', :js do
visit project_issue_path(project, issue)
%w[A B C D].each do |label|
expect(page).to have_selector('svg foreignObject', text: label)
expect(page).to have_selector('svg text', text: label)
end
end
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment