Merge branch 'security-mermaid-xss' into 'master'

[master] Fix XSS in mermaid diagrams

See merge request gitlab/gitlabhq!2597

app/assets/javascripts/behaviors/markdown/render_mermaid.js

@@ -26,6 +26,9 @@ export default function renderMermaid($els) {
         },
         // mermaidAPI options
         theme: 'neutral',
+        flowchart: {
+          htmlLabels: false,
+        },
       });
 
       $els.each((i, el) => {

changelogs/unreleased/security-mermaid-xss.yml

+---
+title: Configure mermaid to not render HTML content in diagrams
+merge_request:
+author:
+type: security

spec/features/issues/user_comments_on_issue_spec.rb

@@ -40,6 +40,18 @@ describe "User comments on issue", :js do
 
       expect(page.find('pre code').text).to eq code_block_content
     end
+
+    it "does not render html content in mermaid" do
+      html_content = "<img onerror=location=`javascript\\u003aalert\\u0028document.domain\\u0029` src=x>"
+      mermaid_content = "graph LR\n  B-->D(#{html_content});"
+      comment = "```mermaid\n#{mermaid_content}\n```"
+
+      add_note(comment)
+
+      wait_for_requests
+
+      expect(page.find('svg.mermaid')).to have_content html_content
+    end
   end
 
   context "when editing comments" do

spec/features/markdown/mermaid_spec.rb

@@ -18,7 +18,7 @@ describe 'Mermaid rendering', :js do
     visit project_issue_path(project, issue)
 
     %w[A B C D].each do |label|
-      expect(page).to have_selector('svg foreignObject', text: label)
+      expect(page).to have_selector('svg text', text: label)
     end
   end
 end