#847 Removing </> in text

mermaid-js · Jul 14, 2019 · 31576f8 · 31576f8
1 parent 31a2b2c
commit 31576f8
Show file tree

Hide file tree

Showing 6 changed files with 82 additions and 37 deletions.
diff --git a/src/config.js b/src/config.js
@@ -0,0 +1,6 @@
+let config
+
+export const setConfig = conf => {
+  config = conf
+}
+export const getConfig = () => config
diff --git a/src/diagrams/flowchart/flowDb.js b/src/diagrams/flowchart/flowDb.js
@@ -2,7 +2,9 @@ import * as d3 from 'd3'
 
 import { logger } from '../../logger'
 import utils from '../../utils'
+import { getConfig } from '../../config'
 
+const config = getConfig()
 let vertices = {}
 let edges = []
 let classes = []
@@ -13,6 +15,16 @@ let subCount = 0
 let direction
 // Functions to be run after graph rendering
 let funs = []
+
+const sanitize = text => {
+  let txt = text
+  txt = txt.replace(/<br>/g, '#br#')
+  txt = txt.replace(/<br\S*\/>/g, '#br#')
+  txt = txt.replace(/</g, '&lt;').replace(/>/g, '&gt;')
+  txt = txt.replace(/#br#/g, '<br/>')
+  return txt
+}
+
 /**
  * Function called by parser when a node definition has been found
  * @param id
@@ -35,7 +47,7 @@ export const addVertex = function (id, text, type, style, classes) {
     vertices[id] = { id: id, styles: [], classes: [] }
   }
   if (typeof text !== 'undefined') {
-    txt = text.trim()
+    txt = sanitize(text.trim())
 
     // strip quotes if string starts and exnds with a quote
     if (txt[0] === '"' && txt[txt.length - 1] === '"') {
@@ -76,7 +88,7 @@ export const addLink = function (start, end, type, linktext) {
   linktext = type.text
 
   if (typeof linktext !== 'undefined') {
-    edge.text = linktext.trim()
+    edge.text = sanitize(linktext.trim())
 
     // strip quotes if string starts and exnds with a quote
     if (edge.text[0] === '"' && edge.text[edge.text.length - 1] === '"') {
@@ -172,6 +184,9 @@ const setTooltip = function (ids, tooltip) {
 }
 
 const setClickFun = function (id, functionName) {
+  if (config.strictSecurity) {
+    return
+  }
   if (typeof functionName === 'undefined') {
     return
   }
@@ -335,6 +350,7 @@ export const addSubGraph = function (id, list, title) {
 
   id = id || ('subGraph' + subCount)
   title = title || ''
+  title = sanitize(title)
   subCount = subCount + 1
   const subGraph = { id: id, nodes: nodeList, title: title.trim(), classes: [] }
   subGraphs.push(subGraph)

diff --git a/src/diagrams/flowchart/parser/flow.spec.js b/src/diagrams/flowchart/parser/flow.spec.js
@@ -1333,7 +1333,7 @@ describe('when parsing ', function () {
       const edges = flow.parser.yy.getEdges()
 
       expect(vert['C'].type).toBe('round')
-      expect(vert['C'].text).toBe('Chimpansen hoppar åäö  <br> -  ÅÄÖ')
+      expect(vert['C'].text).toBe('Chimpansen hoppar åäö  <br/> -  ÅÄÖ')
     })
         // xit('it should handle åäö, minus and space and br',function(){
         //    const res = flow.parser.parse('graph TD; A[Object&#40;foo,bar&#41;]-->B(Thing);');
@@ -1460,7 +1460,7 @@ describe('when parsing ', function () {
 
     expect(edges.length).toBe(0)
     expect(vert['a'].type).toBe('diamond')
-    expect(vert['a'].text).toBe('A <br> end')
+    expect(vert['a'].text).toBe('A <br/> end')
   })
   it('should handle a single round node with html in it', function () {
         // Silly but syntactically correct
@@ -1471,7 +1471,7 @@ describe('when parsing ', function () {
 
     expect(edges.length).toBe(0)
     expect(vert['a'].type).toBe('round')
-    expect(vert['a'].text).toBe('A <br> end')
+    expect(vert['a'].text).toBe('A <br/> end')
   })
   it('should handle a single node with alphanumerics starting on a char', function () {
         // Silly but syntactically correct
@@ -1573,15 +1573,19 @@ describe('when parsing ', function () {
   })
 
   describe('special characters should be be handled.', function () {
-    const charTest = function (char) {
+    const charTest = function (char, result) {
       const res = flow.parser.parse('graph TD;A(' + char + ')-->B;')
 
       const vert = flow.parser.yy.getVertices()
       const edges = flow.parser.yy.getEdges()
 
       expect(vert['A'].id).toBe('A')
       expect(vert['B'].id).toBe('B')
-      expect(vert['A'].text).toBe(char)
+      if(result){
+        expect(vert['A'].text).toBe(result)
+      }else{
+        expect(vert['A'].text).toBe(char)
+      }
     }
 
     it('it should be able to parse a \'.\'', function () {
@@ -1614,16 +1618,19 @@ describe('when parsing ', function () {
     })
 
     it('it should be able to parse a \'<\'', function () {
-      charTest('<')
+      charTest('<','&lt;')
     })
 
     it('it should be able to parse a \'>\'', function () {
-      charTest('>')
+      charTest('>','&gt;')
     })
 
     it('it should be able to parse a \'=\'', function () {
       charTest('=')
     })
+    it('it should be able to parse a \'&\'', function () {
+      charTest('&')
+    })
   })
 
   it('should be possible to declare a class', function () {

diff --git a/src/diagrams/gantt/ganttDb.js b/src/diagrams/gantt/ganttDb.js
@@ -1,7 +1,9 @@
 import moment from 'moment-mini'
 import { logger } from '../../logger'
 import * as d3 from 'd3'
+import { getConfig } from '../../config'
 
+const config = getConfig()
 let dateFormat = ''
 let axisFormat = ''
 let excludes = []
@@ -62,10 +64,12 @@ export const getExcludes = function () {
 }
 
 export const setTitle = function (txt) {
+  console.log('Setting title ', txt)
   title = txt
 }
 
 export const getTitle = function () {
+  console.log('Title is ', title)
   return title
 }
 
@@ -451,6 +455,9 @@ export const setClass = function (ids, className) {
 }
 
 const setClickFun = function (id, functionName, functionArgs) {
+  if (config.strictSecurity) {
+    return
+  }
   if (typeof functionName === 'undefined') {
     return
   }

diff --git a/src/diagrams/gantt/parser/gantt.js b/src/diagrams/gantt/parser/gantt.js
diff --git a/src/mermaidAPI.js b/src/mermaidAPI.js
@@ -14,7 +14,7 @@
 import * as d3 from 'd3'
 import scope from 'scope-css'
 import pkg from '../package.json'
-
+import { setConfig } from './config'
 import { logger, setLogLevel } from './logger'
 import utils from './utils'
 import flowRenderer from './diagrams/flowchart/flowRenderer'
@@ -77,6 +77,11 @@ const config = {
    */
   logLevel: 5,
 
+  /**
+   * **strictSecurity** A boolean flag setting the level of trust to be used on the parsed diagrams. When set to true the click functionality is disabled.
+   */
+  strictSecurity: false,
+
   /**
    * **startOnLoad** - This options controls whether or mermaid starts when the page loads
    */
@@ -240,6 +245,7 @@ const config = {
 }
 
 setLogLevel(config.logLevel)
+setConfig(config)
 
 function parse (text) {
   const graphType = utils.detectType(text)