Skip to content

Commit 2efe338

Browse files
sidharthv96fourcube
sidharthv96
and
fourcube
committed
fix: sanitize addHtmlLabel in createLabel
Co-authored-by: Chris Grieger <chris@scolp.de>
1 parent 7509b06 commit 2efe338

File tree

1 file changed

+17
-13
lines changed

1 file changed

+17
-13
lines changed

packages/mermaid/src/dagre-wrapper/createLabel.js

Lines changed: 17 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
import { select } from 'd3';
2-
import { log } from '../logger.js';
32
import { getConfig } from '../diagram-api/diagramAPI.js';
4-
import { evaluate } from '../diagrams/common/common.js';
3+
import { evaluate, sanitizeText } from '../diagrams/common/common.js';
4+
import { log } from '../logger.js';
55
import { decodeEntities } from '../utils.js';
66

77
/**
@@ -18,20 +18,23 @@ function applyStyle(dom, styleFn) {
1818
* @param {any} node
1919
* @returns {SVGForeignObjectElement} Node
2020
*/
21-
function addHtmlLabel(node) {
21+
function addHtmlLabel(node, config) {
2222
const fo = select(document.createElementNS('http://www.w3.org/2000/svg', 'foreignObject'));
2323
const div = fo.append('xhtml:div');
2424

2525
const label = node.label;
2626
const labelClass = node.isNode ? 'nodeLabel' : 'edgeLabel';
2727
div.html(
28-
'<span class="' +
29-
labelClass +
30-
'" ' +
31-
(node.labelStyle ? 'style="' + node.labelStyle + '"' : '') +
32-
'>' +
33-
label +
34-
'</span>'
28+
sanitizeText(
29+
'<span class="' +
30+
labelClass +
31+
'" ' +
32+
(node.labelStyle ? 'style="' + node.labelStyle + '"' : '') +
33+
'>' +
34+
label +
35+
'</span>',
36+
config,
37+
),
3538
);
3639

3740
applyStyle(div, node.labelStyle);
@@ -53,19 +56,20 @@ const createLabel = (_vertexText, style, isTitle, isNode) => {
5356
if (typeof vertexText === 'object') {
5457
vertexText = vertexText[0];
5558
}
56-
if (evaluate(getConfig().flowchart.htmlLabels)) {
59+
const config = getConfig();
60+
if (evaluate(config.flowchart.htmlLabels)) {
5761
// TODO: addHtmlLabel accepts a labelStyle. Do we possibly have that?
5862
vertexText = vertexText.replace(/\\n|\n/g, '<br />');
5963
log.debug('vertexText' + vertexText);
6064
const node = {
6165
isNode,
6266
label: decodeEntities(vertexText).replace(
6367
/fa[blrs]?:fa-[\w-]+/g, // cspell: disable-line
64-
(s) => `<i class='${s.replace(':', ' ')}'></i>`
68+
(s) => `<i class='${s.replace(':', ' ')}'></i>`,
6569
),
6670
labelStyle: style.replace('fill:', 'color:'),
6771
};
68-
let vertexNode = addHtmlLabel(node);
72+
let vertexNode = addHtmlLabel(node, config);
6973
// vertexNode.parentNode.removeChild(vertexNode);
7074
return vertexNode;
7175
} else {

0 commit comments

Comments
 (0)