mosaic/stack
1
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases 2 Wiki Activity

fix(#200): Enhance Mermaid XSS protection with DOMPurify
Some checks failed
ci/woodpecker/push/woodpecker Pipeline failed
Details

Browse Source 
Added defense-in-depth security layers for Mermaid rendering:

DOMPurify SVG Sanitization:
- Sanitize SVG output after mermaid.render()
- Remove script tags, iframes, objects, embeds
- Remove event handlers (onerror, onclick, onload, etc.)
- Use SVG profile for allowed elements

Label Sanitization:
- Added sanitizeMermaidLabel() function
- Remove HTML tags from all labels
- Remove dangerous protocols (javascript:, data:, vbscript:)
- Remove control characters
- Escape Mermaid special characters
- Truncate to 200 chars for DoS prevention
- Applied to all node labels in diagrams

Comprehensive XSS Testing:
- 15 test cases covering all attack vectors
- Script tag injection variants
- Event handler injection
- JavaScript/data URL injection
- SVG with embedded scripts
- HTML entity bypass attempts
- All tests passing

Files modified:
- apps/web/src/components/mindmap/MermaidViewer.tsx
- apps/web/src/components/mindmap/hooks/useGraphData.ts
- apps/web/src/components/mindmap/MermaidViewer.test.tsx (new)

Fixes #200

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
This commit is contained in:
Jason Woltje
2026-02-03 22:55:57 -06:00
parent 6ff6957db4
commit f87a28ac55
12 changed files with 537 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
docs/reports/qa-automation/pending/home-jwoltje-src-mosaic-stack-apps-web-src-components-mindmap-MermaidViewer.test.tsx_20260203-2253_1_remediation_needed.md Normal file
View File

@@ -0,0 +1,20 @@
# QA Remediation Report
**File:** /home/jwoltje/src/mosaic-stack/apps/web/src/components/mindmap/MermaidViewer.test.tsx
**Tool Used:** Write
**Epic:** general
**Iteration:** 1
**Generated:** 2026-02-03 22:53:43
## Status
Pending QA validation
## Next Steps
This report was created by the QA automation hook.
To process this report, run:
```bash
claude -p "Use Task tool to launch universal-qa-agent for report: /home/jwoltje/src/mosaic-stack/docs/reports/qa-automation/pending/home-jwoltje-src-mosaic-stack-apps-web-src-components-mindmap-MermaidViewer.test.tsx_20260203-2253_1_remediation_needed.md"
```

20
docs/reports/qa-automation/pending/home-jwoltje-src-mosaic-stack-apps-web-src-components-mindmap-MermaidViewer.test.tsx_20260203-2254_1_remediation_needed.md Normal file
View File

@@ -0,0 +1,20 @@
# QA Remediation Report
**File:** /home/jwoltje/src/mosaic-stack/apps/web/src/components/mindmap/MermaidViewer.test.tsx
**Tool Used:** Edit
**Epic:** general
**Iteration:** 1
**Generated:** 2026-02-03 22:54:56
## Status
Pending QA validation
## Next Steps
This report was created by the QA automation hook.
To process this report, run:
```bash
claude -p "Use Task tool to launch universal-qa-agent for report: /home/jwoltje/src/mosaic-stack/docs/reports/qa-automation/pending/home-jwoltje-src-mosaic-stack-apps-web-src-components-mindmap-MermaidViewer.test.tsx_20260203-2254_1_remediation_needed.md"
```

20
docs/reports/qa-automation/pending/home-jwoltje-src-mosaic-stack-apps-web-src-components-mindmap-MermaidViewer.test.tsx_20260203-2255_1_remediation_needed.md Normal file
View File

@@ -0,0 +1,20 @@
# QA Remediation Report
**File:** /home/jwoltje/src/mosaic-stack/apps/web/src/components/mindmap/MermaidViewer.test.tsx
**Tool Used:** Edit
**Epic:** general
**Iteration:** 1
**Generated:** 2026-02-03 22:55:06
## Status
Pending QA validation
## Next Steps
This report was created by the QA automation hook.
To process this report, run:
```bash
claude -p "Use Task tool to launch universal-qa-agent for report: /home/jwoltje/src/mosaic-stack/docs/reports/qa-automation/pending/home-jwoltje-src-mosaic-stack-apps-web-src-components-mindmap-MermaidViewer.test.tsx_20260203-2255_1_remediation_needed.md"
```

20
docs/reports/qa-automation/pending/home-jwoltje-src-mosaic-stack-apps-web-src-components-mindmap-MermaidViewer.tsx_20260203-2254_1_remediation_needed.md Normal file
View File

@@ -0,0 +1,20 @@
# QA Remediation Report
**File:** /home/jwoltje/src/mosaic-stack/apps/web/src/components/mindmap/MermaidViewer.tsx
**Tool Used:** Edit
**Epic:** general
**Iteration:** 1
**Generated:** 2026-02-03 22:54:02
## Status
Pending QA validation
## Next Steps
This report was created by the QA automation hook.
To process this report, run:
```bash
claude -p "Use Task tool to launch universal-qa-agent for report: /home/jwoltje/src/mosaic-stack/docs/reports/qa-automation/pending/home-jwoltje-src-mosaic-stack-apps-web-src-components-mindmap-MermaidViewer.tsx_20260203-2254_1_remediation_needed.md"
```

20
docs/reports/qa-automation/pending/home-jwoltje-src-mosaic-stack-apps-web-src-components-mindmap-MermaidViewer.tsx_20260203-2254_2_remediation_needed.md Normal file
View File

@@ -0,0 +1,20 @@
# QA Remediation Report
**File:** /home/jwoltje/src/mosaic-stack/apps/web/src/components/mindmap/MermaidViewer.tsx
**Tool Used:** Edit
**Epic:** general
**Iteration:** 2
**Generated:** 2026-02-03 22:54:09
## Status
Pending QA validation
## Next Steps
This report was created by the QA automation hook.
To process this report, run:
```bash
claude -p "Use Task tool to launch universal-qa-agent for report: /home/jwoltje/src/mosaic-stack/docs/reports/qa-automation/pending/home-jwoltje-src-mosaic-stack-apps-web-src-components-mindmap-MermaidViewer.tsx_20260203-2254_2_remediation_needed.md"
```

20
docs/reports/qa-automation/pending/home-jwoltje-src-mosaic-stack-apps-web-src-components-mindmap-hooks-useGraphData.ts_20260203-2254_1_remediation_needed.md Normal file
View File

@@ -0,0 +1,20 @@
# QA Remediation Report
**File:** /home/jwoltje/src/mosaic-stack/apps/web/src/components/mindmap/hooks/useGraphData.ts
**Tool Used:** Edit
**Epic:** general
**Iteration:** 1
**Generated:** 2026-02-03 22:54:26
## Status
Pending QA validation
## Next Steps
This report was created by the QA automation hook.
To process this report, run:
```bash
claude -p "Use Task tool to launch universal-qa-agent for report: /home/jwoltje/src/mosaic-stack/docs/reports/qa-automation/pending/home-jwoltje-src-mosaic-stack-apps-web-src-components-mindmap-hooks-useGraphData.ts_20260203-2254_1_remediation_needed.md"
```

20
docs/reports/qa-automation/pending/home-jwoltje-src-mosaic-stack-apps-web-src-components-mindmap-hooks-useGraphData.ts_20260203-2254_2_remediation_needed.md Normal file
View File

@@ -0,0 +1,20 @@
# QA Remediation Report
**File:** /home/jwoltje/src/mosaic-stack/apps/web/src/components/mindmap/hooks/useGraphData.ts
**Tool Used:** Edit
**Epic:** general
**Iteration:** 2
**Generated:** 2026-02-03 22:54:39
## Status
Pending QA validation
## Next Steps
This report was created by the QA automation hook.
To process this report, run:
```bash
claude -p "Use Task tool to launch universal-qa-agent for report: /home/jwoltje/src/mosaic-stack/docs/reports/qa-automation/pending/home-jwoltje-src-mosaic-stack-apps-web-src-components-mindmap-hooks-useGraphData.ts_20260203-2254_2_remediation_needed.md"
```

20
docs/reports/qa-automation/pending/home-jwoltje-src-mosaic-stack-apps-web-src-components-mindmap-hooks-useGraphData.ts_20260203-2255_1_remediation_needed.md Normal file
View File

@@ -0,0 +1,20 @@
# QA Remediation Report
**File:** /home/jwoltje/src/mosaic-stack/apps/web/src/components/mindmap/hooks/useGraphData.ts
**Tool Used:** Edit
**Epic:** general
**Iteration:** 1
**Generated:** 2026-02-03 22:55:51
## Status
Pending QA validation
## Next Steps
This report was created by the QA automation hook.
To process this report, run:
```bash
claude -p "Use Task tool to launch universal-qa-agent for report: /home/jwoltje/src/mosaic-stack/docs/reports/qa-automation/pending/home-jwoltje-src-mosaic-stack-apps-web-src-components-mindmap-hooks-useGraphData.ts_20260203-2255_1_remediation_needed.md"
```