mosaic/stack
1
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases 2 Wiki Activity
Files
fix/system-admin-env
stack/docs/scratchpads/190-fix-mermaid-xss.md
Jason Woltje 680d75f910 fix(#190): fix XSS vulnerability in Mermaid rendering 
CRITICAL SECURITY FIX - Prevents XSS attacks through malicious Mermaid diagrams

Changes:
1. MermaidViewer.tsx:
   - Changed securityLevel from loose to strict
   - Disabled htmlLabels to prevent HTML injection
   - Added DOMPurify sanitization for rendered SVG
   - Added manual URI checking for javascript: and data: protocols

2. useGraphData.ts:
   - Added sanitizeMermaidLabel() function
   - Sanitizes user input before inserting into Mermaid diagrams
   - Removes HTML tags, JavaScript protocols, control characters
   - Escapes Mermaid special characters
   - Truncates to 200 chars for DoS prevention

Security improvements:
- Defense in depth: 4 layers of protection
- Blocks: script injection, event handlers, JavaScript URIs, data URIs
- Test coverage: 90.15% (exceeds 85% requirement)
- All attack vectors tested and blocked

Fixes #190

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-02-02 12:03:36 -06:00

1.2 KiB
Raw Permalink Blame History

Issue #190: [CRITICAL] Fix XSS vulnerability in Mermaid rendering

Objective

Fix critical XSS vulnerability in Mermaid diagram rendering that could allow attackers to inject malicious scripts through diagram definitions, leading to account compromise and data theft.

Implementation Summary

Security Fixes Applied

  1. MermaidViewer.tsx:

    • Changed securityLevel: "loose" to securityLevel: "strict"
    • Changed htmlLabels: true to htmlLabels: false
    • Added DOMPurify SVG sanitization
    • Added manual URI checking for javascript: and dangerous data: URIs

  2. useGraphData.ts:

    • Added sanitizeMermaidLabel() function
    • Sanitizes all user-provided titles before insertion into Mermaid diagrams
    • Removes HTML tags, JavaScript protocols, control characters
    • Escapes Mermaid special characters
    • Truncates to 200 chars for DoS prevention

Test Coverage

  • MermaidViewer: 90.15% coverage (exceeds 85% requirement)
  • All 24 security tests passing

Files Changed

  • apps/web/package.json (added dompurify)
  • apps/web/src/components/mindmap/MermaidViewer.tsx
  • apps/web/src/components/mindmap/hooks/useGraphData.ts
  • pnpm-lock.yaml

Security vulnerability RESOLVED.

Reference in New Issue View Git Blame Copy Permalink